[jira] [Work logged] (FEDIZ-243) Fediz tomcat valve is broken with recent tomcat version

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Work logged] (FEDIZ-243) Fediz tomcat valve is broken with recent tomcat version

Ivan Topić (Jira)

     [ https://issues.apache.org/jira/browse/FEDIZ-243?focusedWorklogId=385984&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-385984 ]

ASF GitHub Bot logged work on FEDIZ-243:

                Author: ASF GitHub Bot
            Created on: 12/Feb/20 15:23
            Start Date: 12/Feb/20 15:23
    Worklog Time Spent: 10m
      Work Description: amergey commented on pull request #49: A proposed fix for FEDIZ-243
URL: https://github.com/apache/cxf-fediz/pull/49
   Get rid of Constants.FORM_PRINCIPAL_NOTE that is not used anymore in
   form authenticator
   Note that FederationAuthenticator will not work anymore with older tomcat version than 8.5.50 and 9.0.30. People that are using old tomcat version would have to use old version of the plugin.
   There could be an alternative change that would keep compatibility but i am not sure it is desirable, as
   FormAuthenticator has been changed for a reason.
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[hidden email]

Issue Time Tracking

            Worklog Id:     (was: 385984)
    Remaining Estimate: 0h
            Time Spent: 10m

> Fediz tomcat valve is broken with recent tomcat version
> -------------------------------------------------------
>                 Key: FEDIZ-243
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-243
>             Project: CXF-Fediz
>          Issue Type: Bug
>          Components: Plugin
>    Affects Versions: 1.4.6
>            Reporter: Arnaud MERGEY
>            Priority: Critical
>              Labels: tomcat
>          Time Spent: 10m
>  Remaining Estimate: 0h
> Since 8.5.50 and 9.0.30, the fediz tomcat valve stop working.
> With these versions of tomcat the authentication never succeed, even with correct credentials, and fall in an infinite redirect loop between tomcat and the IDP server. 
> This behavior is due to matchRequest from FormAuthenticator is always returning false.
> A security fix has been applied to FormAuthenticator:
> _Refactor FORM authentication to reduce duplicate code and to ensure that the authenticated Principal is not cached in the session when caching is disabled. (markt)_
> Which has been done with this commit 
> [https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652#diff-d3a23672da52a023e04cefd774dbe896]

This message was sent by Atlassian Jira