tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 28313] - Invalid redirect after successful FORM-based authentication
Date Tue, 13 Jul 2004 22:33:26 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28313>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=28313

Invalid redirect after successful FORM-based authentication

markt@apache.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID



------- Additional Comments From markt@apache.org  2004-07-13 22:33 -------
I am afraid I disagree with your analysis.

If the login page includes protected resources then the requests for these 
resorces are also subject to the process described in SRV.12.5.3 (look at the 
302s in your access log) which is why the eventual redirect is to the last 
requested resource.

The only way you will get this to work is if you move the included resources 
outside the protected area.

Looking at this from another point of view. Lets assume you have the following 
resources (all protected):
index.jsp
login.jsp
picture.gif
sensitivedata.jsp

You request index.jsp and get redirected to login.jsp. NB the login page is a 
special case and can be retrieved even though it is protected but it can not 
be retrieved directly.
login.jsp includes picture.gif so the browser requests it.
A rouge browser requests sensitivedata.jsp rather than picture.gif

Tomcat has no way of detecting the difference between the valid request for 
picture.gif and the invalid request for sensitivedata.jsp therefore requests 
for any protected resource will be redirected to the login page until the user 
is authenticated.

To reiterate my point above - if you want to use included resources with the 
login page they must be outside of the protected area.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message