tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: auth bug fix for 4.0.6
Date Sat, 09 Nov 2002 08:37:38 GMT
Replying to an older version of the thread, since I share messages the other
way around.

Personally, I think that Remy needs to work on his people skills.  Keith has
been a very valuable committer on the 3.3 branch.  Rather than shooting him
down, you could have given him pointers on how to improve his patch (which
I'll probably do, but it takes me much longer then it does you :).  Just
remember that Keith has the right to veto (although I doubt that he'll use
it) any 4.x release until his bug is fixed.

----- Original Message -----
From: "Remy Maucherat" <remm@apache.org>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Thursday, November 07, 2002 11:41 PM
Subject: Re: auth bug fix for 4.0.6


> Bill Barker wrote:
>
> > As a non-4.x expert, your patch looks ok.  I would guess that it would
> > still
> > have problems with a request to /foo/protected where the
> > security-constraint
> > is only for /foo/protected/*.
>
> I don't agree, the patch is bad for 4.1.x and 5.0 (at least, you must
> use the decoded URI there). Tomcat 4.0.x is probably ok.
>
> I also don't agree with Keith's interpretation depending on what the
> constraint is. Can you give examples ?
>
> Remy
>
> >
> > >It turns out TC 4.0.6 has the same auth bug as 3.3--
> > >it challenges prior to redirects.  The immediate problem
> > >this causes is that some browsers will cache and send
> > >credentials for the entire domain after being challenged
> > >for a top level directory without a trailing slash.
> > >
> > >So 4.0.6 exhibits this wrong behavior:
> > > GET /foo                       ->  401
> > > GET /foo with auth             ->  301 to /foo/
> > > GET /foo/ with auth            ->  200
> > > GET /bar with auth  .. (browser will send auth to other realms!)
> > >
> > >With the following patch it will exhibit this correct behavior:
> > > GET /foo                       ->  301 to /foo/
> > > GET /foo/                      ->  401
> > > GET /foo/ with auth            ->  200
> > > GET /bar  WITHOUT auth
> > >
> > >
> > >I'll be glad to ci it, but those more in the know may
> > >have a better location for the fix in mind.
> > >
> > >Keith
> > >
> > >
> > >Index:
> >
> >
catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
> >
> > >===================================================================
> > >RCS file:
> >
> >
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenti
> > cator/AuthenticatorBase.java,v
> >
> > >retrieving revision 1.23.2.5
> > >diff -u -r1.23.2.5 AuthenticatorBase.java
> > >---
> >
> >
catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
> >
> > >27 Feb 2002 17:42:58 -0000      1.23.2.5
> > >+++
> >
> >
catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
> >
> > >8 Nov 2002 05:25:06 -0000
> > >@@ -422,8 +422,18 @@
> > >             context.invokeNext(request, response);
> > >             return;
> > >         }
> > >         HttpRequest hrequest = (HttpRequest) request;
> > >         HttpResponse hresponse = (HttpResponse) response;
> > >+
> > >+        // Do not authenticate prior to redirects
> > >+        String uri = ((HttpServletRequest)
> >
> > request.getRequest()).getRequestURI();
> >
> > >+        if (uri.length() > 0 && ! uri.endsWith("/") &&
> > >+            uri.equals(request.getContext().getName())) {
> > >+            context.invokeNext(request, response);
> > >+            return;
> > >+        }
> > >+
> > >         if (debug >= 1)
> > >             log("Security checking request " +
> > >                 ((HttpServletRequest)
> > request.getRequest()).getMethod() +
> >
> > " " +
> >
> > >
> > >--
> > >To unsubscribe, e-mail:
> >
> >
> >
> > >For additional commands, e-mail:
> >
> >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > For additional commands, e-mail:
> >
> >
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message