else
session.removeNote(Constants.SESS_PASSWORD_NOTE);
}
// JBAS-4424: Programmatic web authentication with SSO
SingleSignOn sso = this.getSingleSignOn(request);
if (sso == null)
return;
// Only create a new SSO entry if the SSO did not already set a note
// for an existing entry (as it would do with subsequent requests
// for DIGEST and SSL authenticated contexts)
String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
if (ssoId == null)
{
// Construct a cookie to be returned to the client
ssoId = generateSessionId();
Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, ssoId);
cookie.setMaxAge(-1);
cookie.setPath("/");
// Bugzilla 41217
cookie.setSecure(request.isSecure());
// Bugzilla 34724
String ssoDomain = sso.getCookieDomain();
if (ssoDomain != null)
{
cookie.setDomain(ssoDomain);
}
Response response = (Response) SecurityAssociationValve.activeResponse.get();
response.addCookie(cookie);
// Register this principal with our SSO valve
sso.register(ssoId, principal, AUTH_TYPE, username, this.getPasswordAsString(password));
request.setNote(Constants.REQ_SSOID_NOTE, ssoId);
}
else
{
// Update the SSO session with the latest authentication data
sso.update(ssoId, principal, AUTH_TYPE, username, this.getPasswordAsString(password));
}
// Always associate a session with a new SSO reqistration.
// SSO entries are only removed from the SSO registry map when
// associated sessions are destroyed; if a new SSO entry is created
// above for this request and the user never revisits the context, the
// SSO entry will never be cleared if we don't associate the session
if (session == null)
session = request.getSessionInternal(true);
sso.associate(ssoId, session);
}