tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 11603] - security fails for http-method != GET when user is forced to login
Date Sat, 10 Aug 2002 10:59:43 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11603>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11603

security fails for http-method != GET when user is forced to login

max@maxcooper.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|http://www.secuityfilter.org|http://securityfilter.org/to
                   |/tomcat/http-method-bug.war |mcat/http-method-bug.war



------- Additional Comments From max@maxcooper.com  2002-08-10 10:59 -------
The demonstration app is posted and available now.

It turns out this isn't as much of a problem as I originally thought. It seems 
the request parameters are not available once you get to the destination page. 
That makes this much less of a problem, but I would still expect to get a 403 
error than to see the page with my POSTed parameters missing.

Also, I did not include an <auth-constriant> in the web.xml that I posted in 
the original report. There is no cause for the container to block access 
without this. The behavior is the same whether the auth-contraint tag is empty 
(i.e. no access is allowed) or there is a role that the user does not have. 
This behavior seems correct.

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message