tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: HTTP 400 with Form based authentication
Date Wed, 09 Sep 2015 13:45:57 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sreyan,

On 9/7/15 2:17 PM, Sreyan Chakravarty wrote:
> I have found the cause of the problem. It seems that there is no
> null checking in the DataSourceRealm in Tomcat. What I mean is that
> if a particular user does not exist in the database and is
> credentials are returned as a null string then no null checking is
> specified.
> 
> I would like to open this as a bug.

https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%208

Before you file a bug:

1. Make sure you test on Tomcat 8.0.26
2. Make sure you post a stack trace from the NPE
3. If you can provide a simple test-case, it would be helpful

> The easiest solution is to write a custom Realm that provides the
> null checking. The only problem is that now why am I not being
> redirected to the error page if I provide a valid user with a wrong
> password.

If the authenticate() method returns false, then Tomcat should send
the user to the form-error-page. It may not issue a redirect, but
instead perform a forward. Is that a problem?

> Please if anyone can tell me how to write a custom Realm then it
> would be really appreciated.

If this really is a bug, it should be fixed. I'm skeptical at this
point, since nobody has reported this yet. It would be a fairly big bug.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV8DgVAAoJEBzwKT+lPKRYTfwP/A1tstT6mwueYnnjIT34HSji
Tu8OasywHIVPmVQ07jC7pkvysCGtOegGyWuymAilDWNEqiBsNuUmnMMuL/jJNm1D
8GLb0V8tazbxlNWsHyQ7Gg8XPEDvuRWjzJVNpCrHDbdrwOhKz0DnejxjPyXpSGkq
b2xyS+ay7iD8VLfohmclM6LD1Kp7+MdIwtnTPag5GvkAErwRQ9XmoByTVV1cZPbC
JToYerhP1kMepfF1M9K+XSotkod1xWYvq21sz2AC7sV/0kdcwOyZ/NWYqZSSdvbt
VlwQxcLqkliV6GRD/TRWduXrk36KwbNsgLNISTqjMwgBmL5HjLV7LmegL/kfK97u
J0ijssLVs/NA5BahEzmmDN/q3PfYrc7HWYJTeutt4T9obwuLqIFOoHZHPVKHj5vr
BZxWrgBVWULWw2MRpFooE4QiMaFHsLun7U/vLsKHT4ledJwPOt65UM0ARF06nZwV
htQfMkVFzqaM51+ZyJn4WBtGSwkQM1Mk8BARl5dOcH319GERRQB3ttLqJbSfmSca
PO38R6t3u0uvRmFHQqD11WHECEDWrt7rZbohyQSAX8acQb31pytrDPy4YsDDOk/o
fLpJ3v92ZGlnr22E1epziE5/bVzUywVmPkBTymJDKotOvYApu1FjUBINfyftsK71
rc3wYFqoC35+Oy29vvek
=ocBg
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message