Return-Path: <greenrd@hotmail.com>
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 52543 invoked from network); 8 May 2000 12:02:53 -0000
Received: from f46.law4.hotmail.com (HELO hotmail.com) (216.33.149.46)
  by locus.apache.org with SMTP; 8 May 2000 12:02:53 -0000
Received: (qmail 14459 invoked by uid 0); 8 May 2000 12:02:27 -0000
Message-ID: <20000508120227.14458.qmail@hotmail.com>
Received: from 148.88.17.9 by www.hotmail.com with HTTP;
	Mon, 08 May 2000 05:02:27 PDT
X-Originating-IP: [148.88.17.9]
From: "Robin Green" <greenrd@hotmail.com>
To: tomcat-user@jakarta.apache.org
Subject: [PATCH] for two BASIC authentication bugs in 3.1
Date: Mon, 08 May 2000 13:02:27 BST
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

This cc'd to tomcat-user (oops, typo) because a number of users had reported 
these bugs.

Below are patches for a couple of bugs in 3.1 final which had not been fixed 
in CVS as of yesterday. The bugs are described in the email  included below.

Apologies if this is going over old ground. I was told that this had been 
discussed before (soon after 3.1 release) and it was decided not to fix them 
because of the move to a new security architecture (I understand from the 
CVS logs that SimpleMapper is to be deleted). However, I couldn't find this 
discussion in the mailing list archives (neither users nor dev).

--- org/apache/tomcat/core/Container.java.orig  Mon May  8 12:52:10 2000
+++ org/apache/tomcat/core/Container.java       Mon May  8 12:35:40 2000
@@ -281,6 +281,10 @@
        return handler;
     }

+    public boolean hasNonDefaultHandler () {
+       return handler != null;
+    }
+
     /** The handler ( servlet ) for this container
      */
     public void setHandler(ServletWrapper h) {


--- org/apache/tomcat/request/SimpleMapper.java.orig    Mon May  8 12:57:20 
2000
+++ org/apache/tomcat/request/SimpleMapper.java Mon May  8 12:33:55 2000
@@ -291,7 +291,7 @@
        // add the mapping in the "securityContraints"
        // or in contextPaths if it's a servlet mapping
        Hashtable mtable=securityConstraints;
-       if( ct.getHandler() != null )
+       if( ct.hasNonDefaultHandler() )
            mtable=contextPaths;

        if(debug>0) ctx.log("Add mapping/container " + path + " " + 
ctx.getDebug() + " " + ctxP + " " +
@@ -389,7 +389,7 @@
        }

        // Set servlet path and path info
-       if( wrapper != null && wrapper.getHandler() != null ) {
+       if( wrapper != null && wrapper.hasNonDefaultHandler () ) {
            // Found a match !
            req.setServletPath( s );
            String pathI = path.substring(s.length(), path.length());



>From: "Robin Green" <greenrd@hotmail.com>
>Reply-To: tomcat-user@jakarta.apache.org
>To: tomcat-user@jakarta.apache.org
>Subject: Two authentication bugs
>Date: Wed, 03 May 2000 16:56:32 BST
>
>My configuration is
>
>Tomcat 3.1
>Cocoon 1.7.1-dev
>Solaris 7
>
>I have set up two BASIC authentication zones for development purposes in
>build/tomcat/conf/web.xml as follows:
>
>    <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>Administrator Area</web-resource-name>
>         <!-- Define the context-relative URL(s) to be protected -->
>         <url-pattern>/admin/*</url-pattern>
>     </web-resource-collection>
>      <auth-constraint>
>         <!-- Anyone with one of the listed roles may access this area -->
>         <role-name>admin</role-name>
>      </auth-constraint>
>    </security-constraint>
>
>    <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>Members Area</web-resource-name>
>         <!-- Define the context-relative URL(s) to be protected -->
>         <url-pattern>/users/*</url-pattern>
>     </web-resource-collection>
>      <auth-constraint>
>         <!-- Anyone with one of the listed roles may access this area -->
>         <role-name>admin</role-name>
>         <role-name>user</role-name>
>      </auth-constraint>
>    </security-constraint>
>
>The relevant context from server2.xml is
>
>        <Context path="/fyp" docBase="/home/ufs1/12/greenrd/fyp/public"
>         debug="1"
>         reloadable="true" />
>
>However, when I log in correctly:
>
>Bug 1: the servlet mapping which states that *.xml files are to be handled
>by Cocoon is broken inside these security zones (but not outside). Instead
>it returns the .xml file directly to Internet Explorer.
>
>Bug 2: http://myhost/fyp/users/foobar.xml causes Tomcat to fetch
>~/fyp/public/foobar.xml not ~/fyp/public/users/foobar.xml as it should. So 
>I
>tried http://myhost/fyp/users/users/ and this gave me a directory listing
>starting with
>
>Directory Listing for: /fyp/users/users/
>Up to: /fyp/users
>
>
>which is _actually_ a directory listing for ~/fyp/public/users (it should
>have 404ed). Clearly the path for the zone is being stripped from the URI,
>which makes no sense. ( ~ indicates my home dir, /home/ufs1/12/greenrd ).
>
>There are no operating-system symbolic links involved. There is no WEB-INF
>directory under ~/fyp/public . If I create one and copy web.xml to
>~/fyp/public/WEB-INF and restart tomcat, same two bugs occur.
>
>I really don't want to reorganise all my links to work around this bug.
>Suggestions?
>
>--
>Robin
>
>270+ Open Source Java links!
>http://directory.mozilla.org/Computers/Programming/Languages/Java/Open_Source/
>
>________________________________________________________________________
>Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
>
>--------------------------------------------------------------------------
>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commmands, email: tomcat-user-help@jakarta.apache.org
>

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com