Return-Path:
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: (qmail 86968 invoked from network); 20 Oct 2010 21:56:29 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
by 140.211.11.9 with SMTP; 20 Oct 2010 21:56:29 -0000
Received: (qmail 93699 invoked by uid 500); 20 Oct 2010 21:56:28 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 93607 invoked by uid 500); 20 Oct 2010 21:56:28 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help:
List-Unsubscribe:
List-Post:
List-Id:
Reply-To: "Tomcat Developers List"
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 93598 invoked by uid 99); 20 Oct 2010 21:56:28 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Oct 2010 21:56:28 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Oct 2010 21:56:27 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
id 5BEEA23889B9; Wed, 20 Oct 2010 21:55:31 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1025775 - in /tomcat/trunk:
java/org/apache/catalina/authenticator/FormAuthenticator.java
webapps/docs/changelog.xml webapps/docs/config/valve.xml
Date: Wed, 20 Oct 2010 21:55:31 -0000
To: dev@tomcat.apache.org
From: markt@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20101020215531.5BEEA23889B9@eris.apache.org>
Author: markt
Date: Wed Oct 20 21:55:30 2010
New Revision: 1025775
URL: http://svn.apache.org/viewvc?rev=1025775&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=3839
Provide a mechanism to gracefully handle the case where users book-mark the form login page or otherwise abuse the FORM authentication process.
Based on a suggestion by Mark Morris.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/valve.xml
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1025775&r1=1025774&r2=1025775&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Wed Oct 20 21:55:30 2010
@@ -75,6 +75,12 @@ public class FormAuthenticator
*/
protected String characterEncoding = null;
+ /**
+ * Landing page to use if a user tries to access the login page directly or
+ * if the session times out during login. If not set, error responses will
+ * be sent instead.
+ */
+ protected String landingPage = null;
// ------------------------------------------------------------- Properties
@@ -106,6 +112,22 @@ public class FormAuthenticator
}
+ /**
+ * Return the landing page to use when FORM auth is mis-used.
+ */
+ public String getLandingPage() {
+ return landingPage;
+ }
+
+
+ /**
+ * Set the landing page to use when the FORM auth is mis-used.
+ */
+ public void setLandingPage(String landingPage) {
+ this.landingPage = landingPage;
+ }
+
+
// --------------------------------------------------------- Public Methods
@@ -273,8 +295,19 @@ public class FormAuthenticator
if (containerLog.isDebugEnabled())
containerLog.debug
("User took so long to log on the session expired");
- response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
- sm.getString("authenticator.sessionExpired"));
+ if (landingPage == null) {
+ response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
+ sm.getString("authenticator.sessionExpired"));
+ } else {
+ // Make the authenticator think the user originally requested
+ // the landing page
+ String uri = request.getContextPath() + landingPage;
+ SavedRequest saved = new SavedRequest();
+ saved.setRequestURI(uri);
+ request.getSessionInternal(true).setNote(
+ Constants.FORM_REQUEST_NOTE, saved);
+ response.sendRedirect(response.encodeRedirectURL(uri));
+ }
return (false);
}
@@ -291,8 +324,18 @@ public class FormAuthenticator
if (log.isDebugEnabled())
log.debug("Redirecting to original '" + requestURI + "'");
if (requestURI == null)
- response.sendError(HttpServletResponse.SC_BAD_REQUEST,
- sm.getString("authenticator.formlogin"));
+ if (landingPage == null) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST,
+ sm.getString("authenticator.formlogin"));
+ } else {
+ // Make the authenticator think the user originally requested
+ // the landing page
+ String uri = request.getContextPath() + landingPage;
+ SavedRequest saved = new SavedRequest();
+ saved.setRequestURI(uri);
+ session.setNote(Constants.FORM_REQUEST_NOTE, saved);
+ response.sendRedirect(response.encodeRedirectURL(uri));
+ }
else
response.sendRedirect(response.encodeRedirectURL(requestURI));
return (false);
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1025775&r1=1025774&r2=1025775&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Oct 20 21:55:30 2010
@@ -40,6 +40,11 @@
+ 3839: Provide a mechanism to gracefully handle the case where
+ users book-mark the form login page or otherwise misuse the FORM
+ authentication process. Based on a suggestion by Mark Morris. (markt)
+
+
49991: Ensure servlet request listeners are fired for
the login and error pages during FORM authentication. (markt)
Modified: tomcat/trunk/webapps/docs/config/valve.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=1025775&r1=1025774&r2=1025775&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/trunk/webapps/docs/config/valve.xml Wed Oct 20 21:55:30 2010
@@ -552,6 +552,19 @@
workaround for browser caching issues. If not set, the default value of
true
will be used.
+
+
+ Controls the behavior of the FORM authentication process if the
+ process is misused, for example by directly requesting the login page
+ or delaying logging in for so long that the session expires. If this
+ attribute is set, rather than returning an error response code, Tomcat
+ will redirect the user to the specified landing page if the login form
+ is submitted with valid credentials. For the login to be processed, the
+ landing page must be a protected resource (i.e. one that requires
+ authentication). If the landing page does not require authentication
+ then the user will not be logged in and will be prompted for their
+ credentials again when they access a protected page.
+
Controls the caching of pages that are protected by security
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org