Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 2.5.2
Affects Version/s: 0.7.20
Labels:
None
Environment:

JDK 1.4.2, Tomcat 5.5.25

If a Filter prior to LoginFilter/SecurityFilter creates a session with request.getSession(), then cookie-based autologin will fail.

This is because DefaultAuthenticator.getUser(request, response) tests for an existing session. Upon finding one, it assumes that this session was created by Seraph and looks for the user. If it finds none, then it skips cookie auth and tries basic auth.

It would be better to try cookie auth if no sessionUser is found and not assume the existence of a session means Seraph had a go at the authentication already.

causes

SER-110 Logging out clears cookie put possibly doesn't clear session info

Closed

duplicates

SER-92 Session is needlessly created by HttpSecurityWrapper::getUserPrincipal

RESOLVED

relates to

SER-114 Basic HTTP authentication broken by previous changes

Closed

Assignee:: Graeme Smith
Reporter:: Matt Bishop
Votes:: 0 Vote for this issue
Watchers:: 2 Start watching this issue

Created:: 24/Sep/2007 7:24 PM
Updated:: 13/Sep/2013 3:22 AM
Resolved:: 05/Dec/2011 12:53 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates