Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

avoided race in FormAuth by not sending redirect until after session attribute set

This commit is contained in:
Greg Wilkins 2012-08-20 22:28:03 +10:00
parent e0276a8f65
commit c1a454c278
1 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
View File

@ -216,19 +216,20 @@ public class FormAuthenticator extends LoginAuthenticator
synchronized(session) synchronized(session)
{ {
nuri = (String) session.getAttribute(__J_URI); nuri = (String) session.getAttribute(__J_URI);
}
if (nuri == null || nuri.length() == 0)
if (nuri == null || nuri.length() == 0) {
{ nuri = request.getContextPath();
nuri = request.getContextPath(); if (nuri.length() == 0)
if (nuri.length() == 0) nuri = URIUtil.SLASH;
nuri = URIUtil.SLASH; }
Authentication cached=new SessionAuthentication(getAuthMethod(),user,password);
session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached);
} }
response.setContentLength(0); response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(nuri)); response.sendRedirect(response.encodeRedirectURL(nuri));
Authentication cached=new SessionAuthentication(getAuthMethod(),user,password);
session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached);
return new FormAuthentication(getAuthMethod(),user); return new FormAuthentication(getAuthMethod(),user);
} }