This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 5a04cf4f9ae9b71311d5eabefc69ff7f9e690609
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 12:04:30 2024 +0100
Fix BZ 69131 - expand allowCorsPreflight to all mapped URL patterns
---
.../apache/catalina/authenticator/AuthenticatorBase.java | 10 ++++------
webapps/docs/changelog.xml | 7 +++++++
webapps/docs/config/valve.xml | 15 ++++++++++-----
3 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index fc8b13cd7a..ba5e1baa4b 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -57,6 +57,7 @@ import org.apache.catalina.connector.Response;
import org.apache.catalina.filters.CorsFilter;
import org.apache.catalina.filters.RemoteIpFilter;
import org.apache.catalina.realm.GenericPrincipal;
+import org.apache.catalina.util.FilterUtil;
import org.apache.catalina.util.SessionIdGeneratorBase;
import org.apache.catalina.util.StandardSessionIdGenerator;
import org.apache.catalina.valves.RemoteIpValve;
@@ -628,12 +629,9 @@ public abstract class AuthenticatorBase extends ValveBase
implements Authenticat
for (FilterMap filterMap :
context.findFilterMaps()) {
if
(filterMap.getFilterName().equals(filterDef.getFilterName())) {
if
((filterMap.getDispatcherMapping() & FilterMap.REQUEST) > 0) {
- for (String urlPattern :
filterMap.getURLPatterns()) {
- if
("/*".equals(urlPattern)) {
- allowBypass = true;
- // No need to
check other patterns
- break;
- }
+ String requestPath =
FilterUtil.getRequestPath(request);
+ if
(FilterUtil.matchFiltersURL(filterMap, requestPath)) {
+ allowBypass = true;
}
}
// Found mappings for CORS
filter.
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5c6b0c3ba8..95f16066ab 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -125,6 +125,13 @@
Add the OpenSSL version number on the APR and OpenSSL status classes.
(remm)
</fix>
+ <fix>
+ <bug>69131</bug>: Expand the implementation of the <code>filter</code>
+ value of the Authenticator attribute <code>allowCorsPreflight</code>,
so
+ that it applies to all requests that match the configured URL patterns
+ for the CORS filter, rather than only applying if the CORS filter is
+ mapped to <code>/*</code>. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index ae71ae0751..3c945ccee7 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -1447,7 +1447,8 @@
<code>filter</code> means that a request will bypass authentication if
it appears to be a CORS preflight request; it is mapped to a web
application that has the <a href="filter.html#CORS_Filter">CORS
- Filter</a> enabled; and the CORS Filter is mapped to <code>/*</code>.
+ Filter</a> enabled; and the request matches the URLPatterns for the
CORS
+ fitler mapper.
<code>always</code> means that all requests that appear to be CORS
preflight requests will bypass authentication. If not set, the default
value is <code>never</code>.</p>
@@ -1606,7 +1607,8 @@
<code>filter</code> means that a request will bypass authentication if
it appears to be a CORS preflight request; it is mapped to a web
application that has the <a href="filter.html#CORS_Filter">CORS
- Filter</a> enabled; and the CORS Filter is mapped to <code>/*</code>.
+ Filter</a> enabled; and the request matches the URLPatterns for the
CORS
+ fitler mapper.
<code>always</code> means that all requests that appear to be CORS
preflight requests will bypass authentication. If not set, the default
value is <code>never</code>.</p>
@@ -1788,7 +1790,8 @@
<code>filter</code> means that a request will bypass authentication if
it appears to be a CORS preflight request; it is mapped to a web
application that has the <a href="filter.html#CORS_Filter">CORS
- Filter</a> enabled; and the CORS Filter is mapped to <code>/*</code>.
+ Filter</a> enabled; and the request matches the URLPatterns for the
CORS
+ fitler mapper.
<code>always</code> means that all requests that appear to be CORS
preflight requests will bypass authentication. If not set, the default
value is <code>never</code>.</p>
@@ -1936,7 +1939,8 @@
<code>filter</code> means that a request will bypass authentication if
it appears to be a CORS preflight request; it is mapped to a web
application that has the <a href="filter.html#CORS_Filter">CORS
- Filter</a> enabled; and the CORS Filter is mapped to <code>/*</code>.
+ Filter</a> enabled; and the request matches the URLPatterns for the
CORS
+ fitler mapper.
<code>always</code> means that all requests that appear to be CORS
preflight requests will bypass authentication. If not set, the default
value is <code>never</code>.</p>
@@ -2051,7 +2055,8 @@
<code>filter</code> means that a request will bypass authentication if
it appears to be a CORS preflight request and the web application the
request maps to has the <a href="filter.html#CORS_Filter">CORS
- Filter</a> enabled and mapped to <code>/*</code>. <code>always</code>
+ Filter</a> enabled; and the request matches the URLPatterns for the
CORS
+ fitler mapper.
means that all requests that appear to be CORS preflight requests will
bypass authentication. If not set, the default value is
<code>never</code>.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
