5 Replies Latest reply on Nov 5, 2007 4:25 AM by Antonio Parolini

    ExtendedFormAuthenticator touch-up

    chris griffith Expert

      Dear gang,

      I noticed some duplicate actions taken during the protected void populateSession(Request request) method the org.jboss.web.tomcat.security.ExtendedFormAuthenticator class. While these duplicate actions do not adversely affect the product, I am suggesting a correction. I am assuming that the authors original intent was to have two methods. One called on the way to the login page, and one called on the way to the error page. In any case...

      protected void populateSession(Request request)
      {
       String username = request.getParameter("j_username");
       HttpSession session = request.getSession(false);
       if( trace )
       log.trace("Enter, j_username="+username);
       if( session != null )
       {
       if( username != null )
       session.setAttribute("j_username", username);
       if( includePassword )
       {
       Object pass = request.getParameter("j_password");
       if( pass != null )
       session.setAttribute("j_password", pass);
       }
       }
      
       username = request.getParameter("j_username");
       session = request.getSession(false);
       if( session != null )
       {
       if( trace )
       log.trace("SessionID: "+session.getId());
       if( username != null )
       session.setAttribute("j_username", username);
       // Check the SecurityAssociation context exception
       Throwable t = (Throwable) SecurityAssociationActions.getAuthException();
       if( trace )
       log.trace("SecurityAssociation.exception: "+t);
       if( t != null )
       session.setAttribute("j_exception", t);
       }
       if( trace )
       log.trace("Exit, username: "+username);
       }
      


      Might be just as good as...

      protected void populateSession(Request request)
      {
       String username = request.getParameter("j_username");
       HttpSession session = request.getSession(false);
      
       if( session != null )
       {
       if( trace )
       log.trace("SessionID: "+session.getId());
      
       if( username != null )
       {
       session.setAttribute("j_username", username);
       if( trace )
       log.trace("Setting j_username="+username);
      
       if( includePassword )
       {
       Object pass = request.getParameter("j_password");
       if( pass != null )
       {
       session.setAttribute("j_password", pass);
       if( trace )
       log.trace("Setting j_password=--hidden--");
       }
       }
       }
      
       // Check the SecurityAssociation context exception
       Throwable t = (Throwable) SecurityAssociationActions.getAuthException();
       if( trace )
       log.trace("SecurityAssociation.exception: "+t);
       if( t != null )
       session.setAttribute("j_exception", t);
       }
       else
       {
       if( trace )
       log.trace("No Session to store login parameters in");
       }
       }
      


      Again, these are just suggestions and only remove duplicate work performed.

      cgriffith