misc fixes

src/main/java/password/pwm/AppProperty.java

@@ -249,6 +249,7 @@ public enum     AppProperty {
     REPORTING_LDAP_SEARCH_TIMEOUT                   ("reporting.ldap.searchTimeoutMs"),
     REPORTING_LDAP_SEARCH_THREADS                   ("reporting.ldap.searchThreads"),
     SECURITY_STRIP_INLINE_JAVASCRIPT                ("security.html.stripInlineJavascript"),
+    SECURITY_HTTP_FORCE_REQUEST_SEQUENCING          ("security.http.forceRequestSequencing"),
     SECURITY_HTTP_STRIP_HEADER_REGEX                ("security.http.stripHeaderRegex"),
     SECURITY_HTTP_PERFORM_CSRF_HEADER_CHECKS        ("security.http.performCsrfHeaderChecks"),
     SECURITY_HTTP_PROMISCUOUS_ENABLE                ("security.http.promiscuousEnable"),

src/main/java/password/pwm/config/PwmSetting.java

@@ -512,8 +512,6 @@ public enum PwmSetting {
 
 
     // web security
-    SECURITY_ENABLE_REQUEST_SEQUENCE(
-            "security.page.enableRequestSequence", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.WEB_SECURITY),
     SECURITY_ENABLE_FORM_NONCE(
             "security.formNonce.enable", PwmSettingSyntax.BOOLEAN, PwmSettingCategory.WEB_SECURITY),
     ENABLE_SESSION_VERIFICATION(

src/main/java/password/pwm/ldap/LdapConnectionService.java

@@ -54,6 +54,7 @@ public class LdapConnectionService implements PwmService {
     private STATUS status = STATUS.NEW;
     private int connectionsPerProfile = 1;
     private final AtomicInteger slotIncrementer = new AtomicInteger(0);
+    private final ThreadLocal<ChaiProvider> threadLocalProvider = new ThreadLocal<>();
 
     public STATUS status()
     {
@@ -117,6 +118,10 @@ public class LdapConnectionService implements PwmService {
     public ChaiProvider getProxyChaiProvider(final LdapProfile identifier)
             throws PwmUnrecoverableException
     {
+        if (threadLocalProvider.get() != null) {
+            return threadLocalProvider.get();
+        }
+
         final int slot = nextSlot();
 
         final ChaiProvider proxyChaiProvider = proxyChaiProviders.get(identifier).get(slot);
@@ -135,6 +140,7 @@ public class LdapConnectionService implements PwmService {
         }
 
         try {
+
             final ChaiProvider newProvider = LdapOperationsHelper.openProxyChaiProvider(
                     null,
                     ldapProfile,
@@ -142,6 +148,8 @@ public class LdapConnectionService implements PwmService {
                     pwmApplication.getStatisticsManager()
             );
             proxyChaiProviders.get(identifier).put(slot, newProvider);
+            threadLocalProvider.set(newProvider);
+
             return newProvider;
         } catch (PwmUnrecoverableException e) {
             setLastLdapFailure(ldapProfile,e.getErrorInformation());

src/main/java/password/pwm/util/Validator.java

@@ -83,9 +83,10 @@ public class Validator {
             throws PwmOperationalException, PwmUnrecoverableException
     {
         final PwmSession pwmSession = pwmRequest.getPwmSession();
-        final PwmApplication pwmApplication = pwmRequest.getPwmApplication();
 
-        if (pwmApplication.getConfig().readSettingAsBoolean(PwmSetting.SECURITY_ENABLE_REQUEST_SEQUENCE)) {
+        final boolean enforceRequestSequencing = Boolean.parseBoolean(pwmRequest.getConfig().readAppProperty(AppProperty.SECURITY_HTTP_FORCE_REQUEST_SEQUENCING));
+
+        if (enforceRequestSequencing) {
             final String requestVerificationKey = String.valueOf(pwmSession.getLoginInfoBean().getReqCounter());
 
             final String submittedPwmFormID = pwmRequest.readParameterAsString(PwmConstants.PARAM_FORM_ID);

src/main/resources/password/pwm/AppProperty.properties

@@ -231,6 +231,7 @@ recaptcha.clientJsUrl=//www.google.com/recaptcha/api.js
 recaptcha.clientIframeUrl=//www.google.com/recaptcha/api/noscript
 recaptcha.validateUrl=https://www.google.com/recaptcha/api/siteverify
 security.html.stripInlineJavascript=false
+security.http.forceRequestSequencing=false
 security.http.stripHeaderRegex=\\n|\\r|(?ism)%0A|%0D
 security.http.performCsrfHeaderChecks=false
 security.http.promiscuousEnable=false

src/main/resources/password/pwm/config/PwmSetting.xml

@@ -1397,11 +1397,6 @@
             <value>0</value>
         </default>
     </setting>
-    <setting hidden="false" key="security.page.enableRequestSequence" level="2" required="true">
-        <default>
-            <value>true</value>
-        </default>
-    </setting>
     <setting hidden="false" key="security.formNonce.enable" level="2" required="true">
         <default>
             <value>true</value>

src/main/resources/password/pwm/i18n/PwmSetting.properties

@@ -614,7 +614,6 @@ Setting_Description_security.formNonce.enable=Enable this option to require a no
 Setting_Description_security.ldap.simulateBadPassword=Enable this option to enable Bad Password simulation activity when a user enters a forgotten password field.  When an identified user attempts to recover a forgotten password but uses incorrect data, @PwmAppName@ attempts to authenticate to the directory using a known bad password value.  This is done to allow the LDAP directory to trigger its own defense mechanisms against intruders.
 Setting_Description_security.loginSession.mode=Select the mode @PwmAppName@ uses to manage the login session state. Local mode is the most secure and reliable, but it does not allow for server fail-over.
 Setting_Description_security.moduleSession.mode=Select the mode @PwmAppName@ uses to manage the module session state.  Local mode is the most secure and reliable, but it does not allow for server fail-over.
-Setting_Description_security.page.enableRequestSequence=Enable this option to detect the use of back button or other browser navigation irregularities.  Enabling this option prevents duplicate HTTP form submissions but can sometimes have side effects.
 Setting_Description_security.page.leaveNoticeTimeout=Specify a timeout period for when a user navigates away from any page. The browser sends a notice to the server. The next time the browser requrest a page, @PwmAppName@ checks the timeout to determine if the last page leave time was greater then the timeout, and if so, it invalidates the user's session. This has the effect of logging out the users that navigate away from @PwmAppName@ without explicitly logging out. If set to zero, you disable this feature.
 Setting_Description_security.preventFraming=Enable this option to prevent browsers form displaying @PwmAppName@ inside an IFrame.  @PwmAppName@ does this by setting the <b>X-Frame-Options</b> HTTP Header to <b>DENY</b> on all pages.
 Setting_Description_security.redirectUrl.whiteList=Specify a list of partial URL fragments. Any attempt to set the forwardURL or logoutURL via request parameter must match a URL fragment listed here. <ul><li>@PwmAppName@ attempts to match each item from the <b>beginning</b> of the requested URL string.</li><li>@PwmAppName@ decodes and parses the redirect URL before checking it against the whitelist.</li>          <li>If an error occurs when setting a redirect URL, set the debug logs to TRACE and watch the output as the error occurs.</li><li>@PwmAppName@ does not permit wildcards or case mis-matches, the values must match exactly.</li><li>If a fragment has the prefix <i>regex\:</i>, @PwmAppName@ treats the remainder of the fragment as a regular expression.  Regular expression matches must match the entire URL.</li></ul> <table>\n        <tr><td>Example</td><td>Matches</td><td>Not Matched</td></tr>\n        <td>https\://www.example.com</td><td>https\://www.example.com<br/>https\://www.example.com/<br/>https\://www.example.com/path</td><td>http\://www.example.com<br/>https\://mail.example.com</td></tr>\n        <td>http\://www.example.com/p1</td><td>http\://www.example.com/p1<br/>http\://www.example.com/p1/p2<br/>http\://www.example.com/p1?a1\=v1</td><td>https\://www.example.com/p1<br/>http\://www.example.com/p2</td></tr>\n        <td>/path1</td><td>/path1<br/>/path1/path2<br/>/path1/path2/?param\=v1</td><td>www.example.com/path1/<br/>https\://www.example.com/path1<br/>/path2</td></tr>\n        <td>regex\:^(https?\:\\/\\/)[a-z]*\\.example\\.com.*?$</td><td>http\://www.example.com<br/>https\://www.example.com<br/>http\://www.example.com/p1<br/>http\://mail.example.com/p1</td><td>www.example.com<br/>http\://www.example.org</td></tr>\n        </table>\n
@@ -1086,7 +1085,6 @@ Setting_Label_security.formNonce.enable=Enable Form Nonce
 Setting_Label_security.ldap.simulateBadPassword=Enable Bad Password Simulation
 Setting_Label_security.loginSession.mode=Login Session Mode
 Setting_Label_security.moduleSession.mode=Module Session Mode
-Setting_Label_security.page.enableRequestSequence=Enable Back Button Detection
 Setting_Label_security.page.leaveNoticeTimeout=Page Leave Notice Timeout
 Setting_Label_security.preventFraming=Prevent HTML Framing
 Setting_Label_security.redirectUrl.whiteList=Redirect Whitelist