[FEDIZ-243] Fediz tomcat valve is broken with recent tomcat version - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.4.6
Fix Version/s: 1.5.0
Component/s: Plugin
Labels:
- tomcat

Description

Since 8.5.50 and 9.0.30, the fediz tomcat valve stop working.

With these versions of tomcat the authentication never succeed, even with correct credentials, and fall in an infinite redirect loop between tomcat and the IDP server.

This behavior is due to matchRequest from FormAuthenticator is always returning false.

A security fix has been applied to FormAuthenticator:

Refactor FORM authentication to reduce duplicate code and to ensure that the authenticated Principal is not cached in the session when caching is disabled. (markt)

Which has been done with this commit

https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652#diff-d3a23672da52a023e04cefd774dbe896

Attachments

Issue Links

is depended upon by

FEDIZ-244 Update to Tomcat 9.0.35

Closed

is duplicated by

FEDIZ-249 Relying party rejects a valid security token and redirects back to ADFS when using Fediz 1.4.6 with Tomcat 8.5.56

Resolved

links to

GitHub Pull Request #49

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Arnaud MERGEY

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 06/Feb/20 16:09

Updated:: 23/Jun/20 08:58

Resolved:: 21/May/20 11:20

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

10m