tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony_C...@putnam.com
Subject propsed org.apache.tomcat.modules.aaa.AccessInterceptor fix for security-constraint
Date Fri, 02 Aug 2002 20:06:19 GMT
Hi,

I found that tomcat-3.3.1 will end up in an endless redirect loop if you
use FORM auth-method in your login-config and happened to place your
form-login-page
in a path that is protected by a web-resource-name in your security
constraint.

based on my assessment, the following patch fixes the bug.
part of the fix below was adapted from tomcat 4.0 sources

comments? opinions?

-Tony Chao



C:\Documents and Settings\hchao\Desktop>diff AccessInterceptor.java
AccessInterc
eptor.java.orig
273,301d272
<         // Is this a request for the login page itself?  Test here to
avoid
<         // displaying it twice (from the user's perspective) -- once
because
<         // of the "save and redirect" and once because of the "restore
and
<         // redirect" performed below.
<       if (reqURI.equals(ctx.getFormLoginPage())) {
<           if (debug >= 1)
<                 log("Requesting login page normally");
<             return 0;      // Display the login page in the usual manner
<       }
<
<         // Is this a request for the error page itself?  Test here to
avoid
<         // an endless loop (back to the login page) if the error page is
<         // within the protected area of our security constraint
<         if (reqURI.equals(ctx.getFormErrorPage())) {
<             if (debug >= 1)
<                 log("Requesting error page normally");
<             return 0;      // Display the error page in the usual manner
<         }
<
<       int lastS=ctx.getFormLoginPage().lastIndexOf( "/" );
<       String security_check_url = ctx.getFormLoginPage().substring( 0,
lastS)
<         + "/j_security_check";
<         if (reqURI.equals(security_check_url)) {
<             if (debug >= 1)
<                 log("Requesting security check page normally");
<             return 0;      // Display the security check in the usual
manner
<       }
<
<



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message