Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGreg Wilkins2012-08-20 08:28:03 -0400
committerGreg Wilkins2012-08-20 08:29:08 -0400
commitc1a454c2780f6a70a70399f15b937df536c82647 (patch)
tree22978a0df3a21c25903cd5a33f5d547ae3fdcd26 /jetty-security/src
parente0276a8f65f882b0468d8b299e3ad362b1bfb536 (diff)
downloadorg.eclipse.jetty.project-c1a454c2780f6a70a70399f15b937df536c82647.tar.gz
org.eclipse.jetty.project-c1a454c2780f6a70a70399f15b937df536c82647.tar.xz
org.eclipse.jetty.project-c1a454c2780f6a70a70399f15b937df536c82647.zip
avoided race in FormAuth by not sending redirect until after session attribute set
Diffstat (limited to 'jetty-security/src')
-rw-r--r--jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java21
1 files changed, 11 insertions, 10 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
index 6bfae412fb..ccb00a200d 100644
--- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
+++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java
@@ -216,19 +216,20 @@ public class FormAuthenticator extends LoginAuthenticator
synchronized(session)
{
nuri = (String) session.getAttribute(__J_URI);
- }
-
- if (nuri == null || nuri.length() == 0)
- {
- nuri = request.getContextPath();
- if (nuri.length() == 0)
- nuri = URIUtil.SLASH;
+
+ if (nuri == null || nuri.length() == 0)
+ {
+ nuri = request.getContextPath();
+ if (nuri.length() == 0)
+ nuri = URIUtil.SLASH;
+ }
+
+ Authentication cached=new SessionAuthentication(getAuthMethod(),user,password);
+ session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached);
}
response.setContentLength(0);
response.sendRedirect(response.encodeRedirectURL(nuri));
-
- Authentication cached=new SessionAuthentication(getAuthMethod(),user,password);
- session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached);
+
return new FormAuthentication(getAuthMethod(),user);
}

Back to the top