tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51453] New: Requests to open URL that include an Authorization header do not reach servlet
Date Thu, 30 Jun 2011 14:10:50 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51453

             Bug #: 51453
           Summary: Requests to open URL that include an Authorization
                    header do not reach servlet
           Product: Tomcat 7
           Version: 7.0.16
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: i9sg0ij02@sneakemail.com
    Classification: Unclassified


In Tomcat 7, I've noticed that a request to a URL that does not require
authentication will get forwarded to the login page if the request contains an
"Authorization" header.

Our application expects these requests to be processed by the servlet.  The
servlet parses the Authorization header and takes appropriate action (possibly
redirecting to the login page or allowing the request if the headers contain an
acceptible token).  This has worked in older versions of Tomcat.

The relevant part of our web.xml looks like:

<security-constraint>

  <web-resource-collection>
    <web-resource-name>open</web-resource-name>
    <url-pattern>/*</url-pattern>
    <!-- several other url patterns -->
  </web-resource-collection>

  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>

  <!-- Notice no auth-constraint element -->

</security-constraint>

I observed the behavior of
org.apache.catalina.authenticator.AuthenticatorBase.invoke(), here's what I
saw:

The constraints variable contains a single constraint that matches the security
constraint from our web.xml above.

On line 520, authRequired is set to true because of the presence of the
Authorization header.

The authenticate() call on line 535 fails and redirects to the login page.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message