diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index f861bc1181ec..b77d2b508103 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -149,6 +149,12 @@ public AuthenticatorBase() {
*/
protected boolean alwaysUseSession = false;
+ /**
+ * Should we allow reauthentication from SSO? The original authentication (and the SSO session) may have been
+ * established via a weaker authentication mechanism.
+ */
+ protected boolean allowSsoReauthentication = false;
+
/**
* Should we cache authenticated Principals if the request is part of an HTTP session?
*/
@@ -239,6 +245,14 @@ public void setAllowCorsPreflight(String allowCorsPreflight) {
this.allowCorsPreflight = AllowCorsPreflight.valueOf(allowCorsPreflight.trim().toUpperCase(Locale.ENGLISH));
}
+ public boolean getAllowSsoReauthentication() {
+ return allowSsoReauthentication;
+ }
+
+ public void setAllowSsoReauthentication(boolean allowSsoReauthentication) {
+ this.allowSsoReauthentication = allowSsoReauthentication;
+ }
+
public boolean getAlwaysUseSession() {
return alwaysUseSession;
}
diff --git a/java/org/apache/catalina/authenticator/SSLAuthenticator.java b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
index 2364399874b9..b02cd7485d29 100644
--- a/java/org/apache/catalina/authenticator/SSLAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/SSLAuthenticator.java
@@ -49,6 +49,17 @@ public class SSLAuthenticator extends AuthenticatorBase {
private final Log log = LogFactory.getLog(SSLAuthenticator.class); // must not be static
+ private boolean allowSsoReauthentication = false;
+
+ public boolean getAllowSsoReauthentication() {
+ return allowSsoReauthentication;
+ }
+
+ public void setAllowSsoReauthentication(boolean allowSsoReauthentication) {
+ this.allowSsoReauthentication = allowSsoReauthentication;
+ }
+
+
/**
* Authenticate the user by checking for the existence of a certificate chain, validating it against the trust
* manager for the connector and then validating the user's identity against the configured Realm.
@@ -64,12 +75,9 @@ protected boolean doAuthenticate(Request request, HttpServletResponse response)
// NOTE: We don't try to reauthenticate using any existing SSO session,
// because that will only work if the original authentication was
// BASIC or FORM, which are less secure than the CLIENT-CERT auth-type
- // specified for this webapp
- //
- // Change to true below to allow previous FORM or BASIC authentications
- // to authenticate users for this webapp
- // TODO make this a configurable attribute (in SingleSignOn??)
- if (checkForCachedAuthentication(request, response, false)) {
+ // specified for this webapp. This behaviour may be modified by setting
+ // the allowSsoReauthentication property.
+ if (checkForCachedAuthentication(request, response, allowSsoReauthentication)) {
return true;
}
diff --git a/java/org/apache/catalina/authenticator/mbeans-descriptors.xml b/java/org/apache/catalina/authenticator/mbeans-descriptors.xml
index cb4b4f77bbea..20d11c841914 100644
--- a/java/org/apache/catalina/authenticator/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/authenticator/mbeans-descriptors.xml
@@ -30,6 +30,10 @@
description="Should a session always be used once a user is authenticated?"
type="boolean"/>
+
+
@@ -80,6 +84,10 @@
description="Should a session always be used once a user is authenticated?"
type="boolean"/>
+
+
@@ -254,6 +262,10 @@
group="Valve"
type="org.apache.catalina.authenticator.SSLAuthenticator">
+
+