diff options
Diffstat (limited to 'jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java')
-rw-r--r-- | jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java index 0f2e09732b..e85b680fbe 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/LoginAuthenticator.java @@ -58,7 +58,7 @@ public abstract class LoginAuthenticator implements Authenticator /* ------------------------------------------------------------ */ public UserIdentity login(String username, Object password, ServletRequest request) { - UserIdentity user = _loginService.login(username,password); + UserIdentity user = _loginService.login(username,password, request); if (user!=null) { renewSession((HttpServletRequest)request, (request instanceof Request? ((Request)request).getResponse() : null)); @@ -92,11 +92,11 @@ public abstract class LoginAuthenticator implements Authenticator /** Change the session id. * The session is changed to a new instance with a new ID if and only if:<ul> * <li>A session exists. - * <li>The {@link AuthConfiguration#isSessionRenewedOnAuthentication()} returns true. + * <li>The {@link org.eclipse.jetty.security.Authenticator.AuthConfiguration#isSessionRenewedOnAuthentication()} returns true. * <li>The session ID has been given to unauthenticated responses * </ul> - * @param request - * @param response + * @param request the request + * @param response the response * @return The new session. */ protected HttpSession renewSession(HttpServletRequest request, HttpServletResponse response) @@ -109,14 +109,14 @@ public abstract class LoginAuthenticator implements Authenticator { //if we should renew sessions, and there is an existing session that may have been seen by non-authenticated users //(indicated by SESSION_SECURED not being set on the session) then we should change id - if (httpSession.getAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED)!=Boolean.TRUE) + if (httpSession.getAttribute(AbstractSession.SESSION_CREATED_SECURE)!=Boolean.TRUE) { if (httpSession instanceof AbstractSession) { AbstractSession abstractSession = (AbstractSession)httpSession; String oldId = abstractSession.getId(); abstractSession.renewId(request); - abstractSession.setAttribute(AbstractSession.SESSION_KNOWN_ONLY_TO_AUTHENTICATED, Boolean.TRUE); + abstractSession.setAttribute(AbstractSession.SESSION_CREATED_SECURE, Boolean.TRUE); if (abstractSession.isIdChanged() && response != null && (response instanceof Response)) ((Response)response).addCookie(abstractSession.getSessionManager().getSessionCookie(abstractSession, request.getContextPath(), request.isSecure())); LOG.debug("renew {}->{}",oldId,abstractSession.getId()); |