tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 34560] - AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints
Date Sat, 23 Apr 2005 02:56:56 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=34560>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34560


quartz12h@yahoo.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WONTFIX                     |




------- Additional Comments From quartz12h@yahoo.com  2005-04-23 04:56 -------
In order to respect the authentication spec rfc2616-14.8, although the
authorization is made by a form and not a header, the FormAuthenticator valve
was capable of emulating the proper caching constraints. The code is
manipulating the correct headers but under innacurate circumstances.

The problem is not related to the <user-data-constraint><transport-guarantee>
tags. It has to do with the abscence of <auth-constraint><role-name> tags.

The FormAuthenticator valve is visited for mappings that do not require
authentication. That alone is questionnable, but assuming the valve may perform
other contract, I supposed this visit is unavoidable. However, within the
mandate of performing authentication based operations, the valve should restrict
itself to mappings that strictly have at least 1 role.

Like I said, every tomcat application out there is silently suffering from
non-cached static ressources because:
1-the valve intercepts EVERY request, even if not matching the url pattern
AND 
2-the valve do not recognize the abscence of authentication constraints.

Thanks for reconsidering.

PS:...especially since the fix is trivial:
(skip if constraints==null || constraints.length=0 || all of
constraints[i].getAuthConstraint()==false)

PS:You might want to consult http://www.mnot.net/cache_docs/
and other doc like the rfc 2616
http://www.w3.org/Protocols/rfc2616/rfc2616.html
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.8

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message