tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry Isaacs" <Larry.Isa...@sas.com>
Subject RE: propsed org.apache.tomcat.modules.aaa.AccessInterceptor fix for security-constraint
Date Fri, 02 Aug 2002 20:38:34 GMT
Hi Tony,

This has been on the to-do list for a while.  I'll try to take a
look at this is the near future.  My day job has me swamped at
the moment.  Thanks.

Cheers,
Larry

> -----Original Message-----
> From: Tony_Chao@putnam.com [mailto:Tony_Chao@putnam.com] 
> Sent: Friday, August 02, 2002 4:06 PM
> To: tomcat-dev@jakarta.apache.org
> Subject: propsed 
> org.apache.tomcat.modules.aaa.AccessInterceptor fix for 
> security-constraint
> 
> 
> Hi,
> 
> I found that tomcat-3.3.1 will end up in an endless redirect 
> loop if you
> use FORM auth-method in your login-config and happened to place your
> form-login-page
> in a path that is protected by a web-resource-name in your security
> constraint.
> 
> based on my assessment, the following patch fixes the bug.
> part of the fix below was adapted from tomcat 4.0 sources
> 
> comments? opinions?
> 
> -Tony Chao
> 
> 
> 
> C:\Documents and Settings\hchao\Desktop>diff AccessInterceptor.java
> AccessInterc
> eptor.java.orig
> 273,301d272
> <         // Is this a request for the login page itself?  
> Test here to
> avoid
> <         // displaying it twice (from the user's perspective) -- once
> because
> <         // of the "save and redirect" and once because of 
> the "restore
> and
> <         // redirect" performed below.
> <       if (reqURI.equals(ctx.getFormLoginPage())) {
> <           if (debug >= 1)
> <                 log("Requesting login page normally");
> <             return 0;      // Display the login page in the 
> usual manner
> <       }
> <
> <         // Is this a request for the error page itself?  
> Test here to
> avoid
> <         // an endless loop (back to the login page) if the 
> error page is
> <         // within the protected area of our security constraint
> <         if (reqURI.equals(ctx.getFormErrorPage())) {
> <             if (debug >= 1)
> <                 log("Requesting error page normally");
> <             return 0;      // Display the error page in the 
> usual manner
> <         }
> <
> <       int lastS=ctx.getFormLoginPage().lastIndexOf( "/" );
> <       String security_check_url = 
> ctx.getFormLoginPage().substring( 0,
> lastS)
> <         + "/j_security_check";
> <         if (reqURI.equals(security_check_url)) {
> <             if (debug >= 1)
> <                 log("Requesting security check page normally");
> <             return 0;      // Display the security check in 
> the usual
> manner
> <       }
> <
> <
> 
> 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:tomcat-dev-> unsubscribe@jakarta.apache.org>
> For 
> additional commands, 
> e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
> 
> 

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message