Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 2.5.2
Affects Version/s: 0.7.20
Labels:
None
Environment:

JDK 1.4.2, Tomcat 5.5.25

Last commented by user?:
false

If a Filter prior to LoginFilter/SecurityFilter creates a session with request.getSession(), then cookie-based autologin will fail.

This is because DefaultAuthenticator.getUser(request, response) tests for an existing session. Upon finding one, it assumes that this session was created by Seraph and looks for the user. If it finds none, then it skips cookie auth and tries basic auth.

It would be better to try cookie auth if no sessionUser is found and not assume the existence of a session means Seraph had a go at the authentication already.

causes

SER-110 Logging out clears cookie put possibly doesn't clear session info

Closed

duplicates

SER-92 Session is needlessly created by HttpSecurityWrapper::getUserPrincipal

RESOLVED

relates to

SER-114 Basic HTTP authentication broken by previous changes

Closed

Assignee:: Graeme Smith

Reporter:: Matt Bishop

Participants:: Andreas Knecht, Christopher Owen [Atlassian], Graeme Smith, Jed Wesley-Smith, Matt Bishop, Samuel Le Berrigaud

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 24/Sep/2007 7:24 PM

Updated:: 13/Sep/2013 3:22 AM

Resolved:: 05/Dec/2011 12:53 AM

Last commented:: 12 years, 35 weeks, 5 days ago

Details

Description

Attachments

Issue Links

Activity

People

Dates