Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1025775 - in /tomcat/trunk:
 java/org/apache/catalina/authenticator/FormAuthenticator.java
 webapps/docs/changelog.xml webapps/docs/config/valve.xml
Date: Wed, 20 Oct 2010 21:55:31 -0000
To: dev@tomcat.apache.org
From: markt@apache.org
Message-Id: <20101020215531.5BEEA23889B9@eris.apache.org>

Author: markt
Date: Wed Oct 20 21:55:30 2010
New Revision: 1025775

URL: http://svn.apache.org/viewvc?rev=1025775&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=3839
Provide a mechanism to gracefully handle the case where users book-mark the form login page or otherwise abuse the FORM authentication process.
Based on a suggestion by Mark Morris.

Modified:
    tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
    tomcat/trunk/webapps/docs/changelog.xml
    tomcat/trunk/webapps/docs/config/valve.xml

Modified: tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1025775&r1=1025774&r2=1025775&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Wed Oct 20 21:55:30 2010
@@ -75,6 +75,12 @@ public class FormAuthenticator
      */
     protected String characterEncoding = null;
 
+    /**
+     * Landing page to use if a user tries to access the login page directly or
+     * if the session times out during login. If not set, error responses will
+     * be sent instead.
+     */
+    protected String landingPage = null;
 
     // ------------------------------------------------------------- Properties
 
@@ -106,6 +112,22 @@ public class FormAuthenticator
     }
 
 
+    /**
+     * Return the landing page to use when FORM auth is mis-used.
+     */
+    public String getLandingPage() {
+        return landingPage;
+    }
+
+
+    /**
+     * Set the landing page to use when the FORM auth is mis-used.
+     */
+    public void setLandingPage(String landingPage) {
+        this.landingPage = landingPage;
+    }
+
+
     // --------------------------------------------------------- Public Methods
 
 
@@ -273,8 +295,19 @@ public class FormAuthenticator
             if (containerLog.isDebugEnabled())
                 containerLog.debug
                     ("User took so long to log on the session expired");
-            response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
-                               sm.getString("authenticator.sessionExpired"));
+            if (landingPage == null) {
+                response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
+                        sm.getString("authenticator.sessionExpired"));
+            } else {
+                // Make the authenticator think the user originally requested
+                // the landing page
+                String uri = request.getContextPath() + landingPage;
+                SavedRequest saved = new SavedRequest();
+                saved.setRequestURI(uri);
+                request.getSessionInternal(true).setNote(
+                        Constants.FORM_REQUEST_NOTE, saved);
+                response.sendRedirect(response.encodeRedirectURL(uri));
+            }
             return (false);
         }
 
@@ -291,8 +324,18 @@ public class FormAuthenticator
         if (log.isDebugEnabled())
             log.debug("Redirecting to original '" + requestURI + "'");
         if (requestURI == null)
-            response.sendError(HttpServletResponse.SC_BAD_REQUEST,
-                               sm.getString("authenticator.formlogin"));
+            if (landingPage == null) {
+                response.sendError(HttpServletResponse.SC_BAD_REQUEST,
+                        sm.getString("authenticator.formlogin"));
+            } else {
+                // Make the authenticator think the user originally requested
+                // the landing page
+                String uri = request.getContextPath() + landingPage;
+                SavedRequest saved = new SavedRequest();
+                saved.setRequestURI(uri);
+                session.setNote(Constants.FORM_REQUEST_NOTE, saved);
+                response.sendRedirect(response.encodeRedirectURL(uri));
+            }
         else
             response.sendRedirect(response.encodeRedirectURL(requestURI));
         return (false);

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1025775&r1=1025774&r2=1025775&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Oct 20 21:55:30 2010
@@ -40,6 +40,11 @@
   <subsection name="Catalina">
     <changelog>
       <fix>
+        <bug>3839</bug>: Provide a mechanism to gracefully handle the case where
+        users book-mark the form login page or otherwise misuse the FORM
+        authentication process. Based on a suggestion by Mark Morris. (markt)
+      </fix>
+      <fix>
         <bug>49991</bug>: Ensure servlet request listeners are fired for
         the login and error pages during FORM authentication. (markt)
       </fix>

Modified: tomcat/trunk/webapps/docs/config/valve.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=1025775&r1=1025774&r2=1025775&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/trunk/webapps/docs/config/valve.xml Wed Oct 20 21:55:30 2010
@@ -552,6 +552,19 @@
         workaround for browser caching issues. If not set, the default value of
         <code>true</code> will be used.</p>
       </attribute>
+      
+      <attribute name="landingPage" required="false">
+        <p>Controls the behavior of the FORM authentication process if the
+        process is misused, for example by directly requesting the login page
+        or delaying logging in for so long that the session expires. If this
+        attribute is set, rather than returning an error response code, Tomcat
+        will redirect the user to the specified landing page if the login form
+        is submitted with valid credentials. For the login to be processed, the
+        landing page must be a protected resource (i.e. one that requires
+        authentication). If the landing page does not require authentication
+        then the user will not be logged in and will be prompted for their
+        credentials again when they access a protected page.</p>
+      </attribute>
 
       <attribute name="securePagesWithPragma" required="false">
         <p>Controls the caching of pages that are protected by security


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org