feat: Make SSO re-authentication configurable for SSLAuthenticator

java/org/apache/catalina/authenticator/AuthenticatorBase.java

@@ -149,6 +149,12 @@ public AuthenticatorBase() {
  */
  protected boolean alwaysUseSession = false;
 
+ /**
+ * Should we allow reauthentication from SSO? The original authentication (and the SSO session) may have been
+ * established via a weaker authentication mechanism.
+ */
+ protected boolean allowSsoReauthentication = false;
+
  /**
  * Should we cache authenticated Principals if the request is part of an HTTP session?
  */
@@ -239,6 +245,14 @@ public void setAllowCorsPreflight(String allowCorsPreflight) {
  this.allowCorsPreflight = AllowCorsPreflight.valueOf(allowCorsPreflight.trim().toUpperCase(Locale.ENGLISH));
  }
 
+ public boolean getAllowSsoReauthentication() {
+ return allowSsoReauthentication;
+ }
+
+ public void setAllowSsoReauthentication(boolean allowSsoReauthentication) {
+ this.allowSsoReauthentication = allowSsoReauthentication;
+ }
+
  public boolean getAlwaysUseSession() {
  return alwaysUseSession;
  }

java/org/apache/catalina/authenticator/SSLAuthenticator.java

@@ -49,6 +49,17 @@ public class SSLAuthenticator extends AuthenticatorBase {
 
  private final Log log = LogFactory.getLog(SSLAuthenticator.class); // must not be static
 
+ private boolean allowSsoReauthentication = false;
+
+ public boolean getAllowSsoReauthentication() {
+ return allowSsoReauthentication;
+ }
+
+ public void setAllowSsoReauthentication(boolean allowSsoReauthentication) {
+ this.allowSsoReauthentication = allowSsoReauthentication;
+ }
+
+
  /**
  * Authenticate the user by checking for the existence of a certificate chain, validating it against the trust
  * manager for the connector and then validating the user's identity against the configured Realm.
@@ -64,12 +75,9 @@ protected boolean doAuthenticate(Request request, HttpServletResponse response)
  // NOTE: We don't try to reauthenticate using any existing SSO session,
  // because that will only work if the original authentication was
  // BASIC or FORM, which are less secure than the CLIENT-CERT auth-type
- // specified for this webapp
- //
- // Change to true below to allow previous FORM or BASIC authentications
- // to authenticate users for this webapp
- // TODO make this a configurable attribute (in SingleSignOn??)
- if (checkForCachedAuthentication(request, response, false)) {
+ // specified for this webapp. This behaviour may be modified by setting
+ // the allowSsoReauthentication property.
+ if (checkForCachedAuthentication(request, response, allowSsoReauthentication)) {
  return true;
  }
 

java/org/apache/catalina/authenticator/mbeans-descriptors.xml

@@ -30,6 +30,10 @@
  description="Should a session always be used once a user is authenticated?"
  type="boolean"/>
 
+ <attribute name="allowSsoReauthentication"
+ description="Should reauthentication from SSO be allowed?"
+ type="boolean"/>
+
  <attribute name="cache"
  description="Should we cache authenticated Principals if the request is part of an HTTP session?"
  type="boolean"/>
@@ -80,6 +84,10 @@
  description="Should a session always be used once a user is authenticated?"
  type="boolean"/>
 
+ <attribute name="allowSsoReauthentication"
+ description="Should reauthentication from SSO be allowed?"
+ type="boolean"/>
+
  <attribute name="cache"
  description="Should we cache authenticated Principals if the request is part of an HTTP session?"
  type="boolean"/>
@@ -254,6 +262,10 @@
  group="Valve"
  type="org.apache.catalina.authenticator.SSLAuthenticator">
 
+ <attribute name="allowSsoReauthentication"
+ description="Should reauthentication from SSO be allowed?"
+ type="boolean"/>
+
  <attribute name="cache"
  description="Should we cache authenticated Principals if the request is part of an HTTP session?"
  type="boolean"/>