Do not store username and password as session notes during authentication if they are not needed.
Only FormAuthenticator reads those notes and only in the rare case when caching is turned off. Other authenticators do not need them.
If any third-party authenticator has a need, it is possible to overwrite register(..) like FormAuthenticator does here.
It is a review of commit 1ecba14e690cf5f3f143eef6ae7037a6d3c16652.
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index 52bff92..f5e76a3 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -918,22 +918,9 @@
}
// Cache the authentication information in our session, if any
- if (session != null) {
- if (cache) {
- session.setAuthType(authType);
- session.setPrincipal(principal);
- } else {
- if (username != null) {
- session.setNote(Constants.SESS_USERNAME_NOTE, username);
- } else {
- session.removeNote(Constants.SESS_USERNAME_NOTE);
- }
- if (password != null) {
- session.setNote(Constants.SESS_PASSWORD_NOTE, password);
- } else {
- session.removeNote(Constants.SESS_PASSWORD_NOTE);
- }
- }
+ if (session != null && cache) {
+ session.setAuthType(authType);
+ session.setPrincipal(principal);
}
// Construct a cookie to be returned to the client
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 1204d4c..e5e1d8d 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -369,6 +369,33 @@
}
+ @Override
+ public void register(Request request, HttpServletResponse response,
+ Principal principal, String authType, String username,
+ String password) {
+
+ super.register(request, response, principal, authType, username, password);
+
+ // If caching an authenticated Principal is turned off,
+ // store username and password as session notes to use them for re-authentication.
+ if (!cache) {
+ Session session = request.getSessionInternal(false);
+ if (session != null) {
+ if (username != null) {
+ session.setNote(Constants.SESS_USERNAME_NOTE, username);
+ } else {
+ session.removeNote(Constants.SESS_USERNAME_NOTE);
+ }
+ if (password != null) {
+ session.setNote(Constants.SESS_PASSWORD_NOTE, password);
+ } else {
+ session.removeNote(Constants.SESS_PASSWORD_NOTE);
+ }
+ }
+ }
+ }
+
+
/**
* Called to forward to the login page
*
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 1d43ebd..35379ab 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -99,6 +99,10 @@
the authenticated Principal is not cached in the session when caching is
disabled. (markt)
</fix>
+ <update>
+ Do not store username and password as session notes during
+ authentication if they are not needed. (kkolinko)
+ </update>
</changelog>
</subsection>
<subsection name="Coyote">
