tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Need workaround for Tomcat security.
Date Mon, 16 Jul 2001 23:20:20 GMT

On Sun, 15 Jul 2001, Nils O. Selåsdal wrote:

> Ok, i needed to put some security constraints to a dircetory, so I added this 
> to my web.xml:
>  <security-constraint>
>       <display-name>UQoS Amin Area</display-name>
>       <web-resource-collection>
>          <web-resource-name>UQoS Amin Area</web-resource-name>
>            <url-pattern>/admin/*</url-pattern>
>       </web-resource-collection>
> I use BASIC authentication using the memory realm.
> Works like it supposed to when someone goes to my http://xxx/webapp/Admin/ or 
> something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or even 
> more slashes), all security checkings are bypassed, anyone arr let right in !
> (same things happens always, try it with the 'security' example shipped with 
> Tomcat.
> Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat 
> 3.2.1 and 3.2.2. 
> And I need it fixedas soon as possible. Does anyone know a workaround to 
> thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed here.)

It's not completely fixed in 4 -- some request URI paths still let you in.

> -- 
> Nils O. Selåsdal

Yep ... it is a serious bug, affecting all versions of Tomcat, and there
is no workaround.  The problem relates to the fact that "normalization" of
the request URI (i.e. removing "//" and "/./", and compacting "/../") is
not being performed consistently.  This is going to be fixed (in all
versions) such that the request URI received by the server will be
normalized *before* being used to map to a servlet, or to select a
security constraint.  As a side effect, the value returned when you call
request.getRequestURI() will always be normalized.

Look for announcements of the availability of patched versions shortly.

Craig McClanahan

View raw message