tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: auth bug fix for 4.0.6
Date Fri, 08 Nov 2002 07:10:45 GMT
As a non-4.x expert, your patch looks ok.  I would guess that it would still
have problems with a request to /foo/protected where the security-constraint
is only for /foo/protected/*.

----- Original Message -----
From: "Keith Wannamaker" <Keith@Wannamaker.org>
To: <tomcat-dev@jakarta.apache.org>
Sent: Thursday, November 07, 2002 9:36 PM
Subject: auth bug fix for 4.0.6


> It turns out TC 4.0.6 has the same auth bug as 3.3--
> it challenges prior to redirects.  The immediate problem
> this causes is that some browsers will cache and send
> credentials for the entire domain after being challenged
> for a top level directory without a trailing slash.
>
> So 4.0.6 exhibits this wrong behavior:
>  GET /foo                       ->  401
>  GET /foo with auth             ->  301 to /foo/
>  GET /foo/ with auth            ->  200
>  GET /bar with auth  .. (browser will send auth to other realms!)
>
> With the following patch it will exhibit this correct behavior:
>  GET /foo                       ->  301 to /foo/
>  GET /foo/                      ->  401
>  GET /foo/ with auth            ->  200
>  GET /bar  WITHOUT auth
>
>
> I'll be glad to ci it, but those more in the know may
> have a better location for the fix in mind.
>
> Keith
>
>
> Index:
catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
> ===================================================================
> RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenti
cator/AuthenticatorBase.java,v
> retrieving revision 1.23.2.5
> diff -u -r1.23.2.5 AuthenticatorBase.java
> ---
catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
> 27 Feb 2002 17:42:58 -0000      1.23.2.5
> +++
catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
> 8 Nov 2002 05:25:06 -0000
> @@ -422,8 +422,18 @@
>              context.invokeNext(request, response);
>              return;
>          }
>          HttpRequest hrequest = (HttpRequest) request;
>          HttpResponse hresponse = (HttpResponse) response;
> +
> +        // Do not authenticate prior to redirects
> +        String uri = ((HttpServletRequest)
request.getRequest()).getRequestURI();
> +        if (uri.length() > 0 && ! uri.endsWith("/") &&
> +            uri.equals(request.getContext().getName())) {
> +            context.invokeNext(request, response);
> +            return;
> +        }
> +
>          if (debug >= 1)
>              log("Security checking request " +
>                  ((HttpServletRequest) request.getRequest()).getMethod() +
" " +
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message