tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Keith Wannamaker" <Ke...@Wannamaker.org>
Subject RE: auth bug fix for 4.0.6
Date Fri, 08 Nov 2002 18:05:36 GMT
Remy, I don't even know if 4.1.x and 5.0 share the bug or not;
I haven't tested it, though I suspect they do.  I do know 4.0.6
has the bug.

I'm not sure what interpretation you are questioning -- if it
is the placement or nature of the fix, sure, I said someone may
want to tweak the location and method of the fix.  However the
behavior is very standard and necessary (Apache handles auth
and redirects the same way for the same reason).

In the example I gave, the security constraint was /* for the 
context.

Keith

| -----Original Message-----
| From: Remy Maucherat [mailto:remm@apache.org]
| Sent: Friday, November 08, 2002 2:42 AM
| To: Tomcat Developers List
| Subject: Re: auth bug fix for 4.0.6
| 
| 
| Bill Barker wrote:
| 
| > As a non-4.x expert, your patch looks ok.  I would guess that it would 
| > still
| > have problems with a request to /foo/protected where the 
| > security-constraint
| > is only for /foo/protected/*.
| 
| I don't agree, the patch is bad for 4.1.x and 5.0 (at least, you must 
| use the decoded URI there). Tomcat 4.0.x is probably ok.
| 
| I also don't agree with Keith's interpretation depending on what the 
| constraint is. Can you give examples ?
| 
| Remy
| 
| >
| > >It turns out TC 4.0.6 has the same auth bug as 3.3--
| > >it challenges prior to redirects.  The immediate problem
| > >this causes is that some browsers will cache and send
| > >credentials for the entire domain after being challenged
| > >for a top level directory without a trailing slash.
| > >
| > >So 4.0.6 exhibits this wrong behavior:
| > > GET /foo                       ->  401
| > > GET /foo with auth             ->  301 to /foo/
| > > GET /foo/ with auth            ->  200
| > > GET /bar with auth  .. (browser will send auth to other realms!)
| > >
| > >With the following patch it will exhibit this correct behavior:
| > > GET /foo                       ->  301 to /foo/
| > > GET /foo/                      ->  401
| > > GET /foo/ with auth            ->  200
| > > GET /bar  WITHOUT auth
| > >
| > >
| > >I'll be glad to ci it, but those more in the know may
| > >have a better location for the fix in mind.
| > >
| > >Keith


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message