From c1a454c2780f6a70a70399f15b937df536c82647 Mon Sep 17 00:00:00 2001 From: Greg Wilkins Date: Mon, 20 Aug 2012 22:28:03 +1000 Subject: avoided race in FormAuth by not sending redirect until after session attribute set --- .../security/authentication/FormAuthenticator.java | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'jetty-security') diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java index 6bfae412fb..ccb00a200d 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java @@ -216,19 +216,20 @@ public class FormAuthenticator extends LoginAuthenticator synchronized(session) { nuri = (String) session.getAttribute(__J_URI); - } - - if (nuri == null || nuri.length() == 0) - { - nuri = request.getContextPath(); - if (nuri.length() == 0) - nuri = URIUtil.SLASH; + + if (nuri == null || nuri.length() == 0) + { + nuri = request.getContextPath(); + if (nuri.length() == 0) + nuri = URIUtil.SLASH; + } + + Authentication cached=new SessionAuthentication(getAuthMethod(),user,password); + session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached); } response.setContentLength(0); response.sendRedirect(response.encodeRedirectURL(nuri)); - - Authentication cached=new SessionAuthentication(getAuthMethod(),user,password); - session.setAttribute(SessionAuthentication.__J_AUTHENTICATED, cached); + return new FormAuthentication(getAuthMethod(),user); } -- cgit v1.2.3