tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 34560] New: - AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints
Date Fri, 22 Apr 2005 02:08:43 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=34560>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34560

           Summary: AuthenticatorBase tests and applies disableProxyCaching
                    even if no auth-constraints
           Product: Tomcat 5
           Version: 5.0.24
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: major
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: quartz12h@yahoo.com


The web.xml contains

	<security-constraint>
			<display-name>Security Constraint</display-name>
			<web-resource-collection>
				<web-resource-name>HTTP Non Protected Area</web-resource-name>
				<url-pattern>/favicon.ico</url-pattern>
				<url-pattern>*.gif</url-pattern>
				<url-pattern>*.js</url-pattern>
				<url-pattern>*.html</url-pattern>
				<url-pattern>*.css</url-pattern>
				<url-pattern>/css/*</url-pattern>
				<url-pattern>/images/*</url-pattern>
				<url-pattern>/js/*</url-pattern>
			</web-resource-collection>
	 		<user-data-constraint>
	 			<transport-guarantee>
	 				CONFIDENTIAL
	 			</transport-guarantee>
	 		</user-data-constraint>
	</security-constraint>

Although it is https (CONFIDENTIAL), it doesn't have any
<auth-constraint><role-name>...
yet the valve FormAuthenticator (extends AuthenticatorBase, 5.0.24, line 458)
only tests for existence of constraints, not roles:

       if ((constraints == null) /* &&
            (!Constants.FORM_METHOD.equals(config.getAuthMethod())) */ ) {
            if (log.isDebugEnabled())
                log.debug(" Not subject to any constraint");
            context.invokeNext(request, response);
            return;
        }

        // Make sure that constrained resources are not cached by web proxies
        // or browsers as caching can provide a security hole
        HttpServletRequest hsrequest = (HttpServletRequest)hrequest.getRequest();
        if (disableProxyCaching && 
            // FIXME: Disabled for Mozilla FORM support over SSL 
            // (improper caching issue)
            //!hsrequest.isSecure() &&
            !"POST".equalsIgnoreCase(hsrequest.getMethod())) {
            HttpServletResponse sresponse = 
                (HttpServletResponse) response.getResponse();
            sresponse.setHeader("Pragma", "No-cache");
            sresponse.setHeader("Cache-Control", "no-cache");
            sresponse.setHeader("Expires", DATE_ONE);
        }


As a result, it is not allowing caching of static ressources in the patterns.
(Slow site performance)

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message