tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stephen Jones" <stevejo...@qwest.net>
Subject Bugzilla #484 not reproducible
Date Sun, 04 Mar 2001 08:07:14 GMT

I was investigating bug #484 in Bugzilla:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=484

I was not able to recreate this bug as reported.

I am using Tomcat 3.2.1 Final, where the bug was reported using Tomcat
3.2.1 Nightly on Jan 21, 2001. This may be the cause.

I tested all of the cases mentioned, and added one more URL string to
test:
4. "rtx/LoginFailed.html"

I tested  using SSL on both ports 443 and 445, with ajp12 and with
ajp13.

The main thing I learned is that you should never call
response.sendRedirect() from a secure webapp without using ajp13, since
it redirects to the URL but changes "https://" to "http://" and the
desired redirect will not happen because the webserver is only allowing
SSL connections. This is not a bug (since ajp13 works) but I bet a lot
of people will make this mistake with their webapps.

I am interpreting the documentation for response.sendRedirect()
differently from the bug reporter; it does not specifically state that
the path cannot extend outside the servlet context. Therefore, when
scenarios a2 and a3 happen, the failure is warranted.

I've attached a tarball of the webapp I used to test, which contains
JSP pages to test all the permutations. I would like for at least one
more person to verify this. In short, I think this is an ex-bug.

Thanks,
Steve



Mime
View raw message