tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r533381 - in /tomcat/container/branches/tc4.1.x: RELEASE-NOTES-4.1.txt catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Date Sat, 28 Apr 2007 16:10:04 GMT
Author: markt
Date: Sat Apr 28 09:10:03 2007
New Revision: 533381

URL: http://svn.apache.org/viewvc?view=rev&rev=533381
Log:
Return a 403 rather than a 500 if a request matches a security constraint that is defined
with no roles and no associated login-config is specified.

Modified:
    tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
    tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java

Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt?view=diff&rev=533381&r1=533380&r2=533381
==============================================================================
--- tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt (original)
+++ tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Sat Apr 28 09:10:03 2007
@@ -1668,6 +1668,11 @@
          Commons Logging
          Return to BeanUtils 1.7.0 since Commons Logging 1.1 resolves the issue
 
+[4.1.37] Authentication
+         Return a 403 rather than a 500 if a request matches a security
+         constraint that is defined with no roles and no associated
+         login-config is specified.
+
 
 ----------------
 Coyote Bug Fixes:

Modified: tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java?view=diff&rev=533381&r1=533380&r2=533381
==============================================================================
--- tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++ tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Sat Apr 28 09:10:03 2007
@@ -554,18 +554,6 @@
             }
         }
 
-        // Which user principal have we already authenticated?
-        Principal principal =
-            ((HttpServletRequest) request.getRequest()).getUserPrincipal();
-        if (principal == null) {
-            if (debug >= 2)
-                log("  No user authenticated, cannot grant access");
-            ((HttpServletResponse) response.getResponse()).sendError
-                (HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
-                 sm.getString("authenticator.notAuthenticated"));
-            return (false);
-        }
-
         // Check each role included in this constraint
         String roles[];
         if (constraint.getAllRoles()) {
@@ -585,6 +573,18 @@
             return (false); // No listed roles means no access at all
         }
         
+        // Which user principal have we already authenticated?
+        Principal principal =
+            ((HttpServletRequest) request.getRequest()).getUserPrincipal();
+        if (principal == null) {
+            if (debug >= 2)
+                log("  No user authenticated, cannot grant access");
+            ((HttpServletResponse) response.getResponse()).sendError
+                (HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+                 sm.getString("authenticator.notAuthenticated"));
+            return (false);
+        }
+
         Realm realm = context.getRealm();
         for (int i = 0; i < roles.length; i++) {
             if (realm.hasRole(principal, roles[i]))



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message