This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit f1fee860a161dd1f7a93a37cd57030d7cb246145
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 26 12:26:36 2024 +0100
Fix BZ 69131 - expand allowCorsPreflight to all mapped URL patterns
---
.../apache/catalina/authenticator/AuthenticatorBase.java | 10 ++++------
webapps/docs/changelog.xml | 7 +++++++
webapps/docs/config/valve.xml | 15 ++++++++++-----
3 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index c92548c229..c0d4d8ccd5 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -56,6 +56,7 @@ import org.apache.catalina.connector.Response;
import org.apache.catalina.filters.CorsFilter;
import org.apache.catalina.filters.RemoteIpFilter;
import org.apache.catalina.realm.GenericPrincipal;
+import org.apache.catalina.util.FilterUtil;
import org.apache.catalina.util.SessionIdGeneratorBase;
import org.apache.catalina.util.StandardSessionIdGenerator;
import org.apache.catalina.valves.RemoteIpValve;
@@ -627,12 +628,9 @@ public abstract class AuthenticatorBase extends ValveBase
implements Authenticat
for (FilterMap filterMap :
context.findFilterMaps()) {
if
(filterMap.getFilterName().equals(filterDef.getFilterName())) {
if
((filterMap.getDispatcherMapping() & FilterMap.REQUEST) > 0) {
- for (String urlPattern :
filterMap.getURLPatterns()) {
- if
("/*".equals(urlPattern)) {
- allowBypass = true;
- // No need to
check other patterns
- break;
- }
+ String requestPath =
FilterUtil.getRequestPath(request);
+ if
(FilterUtil.matchFiltersURL(filterMap, requestPath)) {
+ allowBypass = true;
}
}
// Found mappings for CORS
filter.
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8d1f2e267c..911bed81d7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -115,6 +115,13 @@
Add missing algorithm callback to the <code>JAASCallbackHandler</code>.
(remm)
</fix>
+ <fix>
+ <bug>69131</bug>: Expand the implementation of the <code>filter</code>
+ value of the Authenticator attribute <code>allowCorsPreflight</code>,
so
+ that it applies to all requests that match the configured URL patterns
+ for the CORS filter, rather than only applying if the CORS filter is
+ mapped to <code>/*</code>. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index c679f3c827..baa3bb0d50 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -1445,7 +1445,8 @@
<code>filter</code> means that a request will bypass authentication if
it appears to be a CORS preflight request; it is mapped to a web
application that has the <a href="filter.html#CORS_Filter">CORS
- Filter</a> enabled; and the CORS Filter is mapped to <code>/*</code>.
+ Filter</a> enabled; and the request matches the URLPatterns for the
CORS
+ fitler mapper.
<code>always</code> means that all requests that appear to be CORS
preflight requests will bypass authentication. If not set, the default
value is <code>never</code>.</p>
@@ -1612,7 +1613,8 @@
<code>filter</code> means that a request will bypass authentication if
it appears to be a CORS preflight request; it is mapped to a web
application that has the <a href="filter.html#CORS_Filter">CORS
- Filter</a> enabled; and the CORS Filter is mapped to <code>/*</code>.
+ Filter</a> enabled; and the request matches the URLPatterns for the
CORS
+ fitler mapper.
<code>always</code> means that all requests that appear to be CORS
preflight requests will bypass authentication. If not set, the default
value is <code>never</code>.</p>
@@ -1794,7 +1796,8 @@
<code>filter</code> means that a request will bypass authentication if
it appears to be a CORS preflight request; it is mapped to a web
application that has the <a href="filter.html#CORS_Filter">CORS
- Filter</a> enabled; and the CORS Filter is mapped to <code>/*</code>.
+ Filter</a> enabled; and the request matches the URLPatterns for the
CORS
+ fitler mapper.
<code>always</code> means that all requests that appear to be CORS
preflight requests will bypass authentication. If not set, the default
value is <code>never</code>.</p>
@@ -1942,7 +1945,8 @@
<code>filter</code> means that a request will bypass authentication if
it appears to be a CORS preflight request; it is mapped to a web
application that has the <a href="filter.html#CORS_Filter">CORS
- Filter</a> enabled; and the CORS Filter is mapped to <code>/*</code>.
+ Filter</a> enabled; and the request matches the URLPatterns for the
CORS
+ fitler mapper.
<code>always</code> means that all requests that appear to be CORS
preflight requests will bypass authentication. If not set, the default
value is <code>never</code>.</p>
@@ -2057,7 +2061,8 @@
<code>filter</code> means that a request will bypass authentication if
it appears to be a CORS preflight request and the web application the
request maps to has the <a href="filter.html#CORS_Filter">CORS
- Filter</a> enabled and mapped to <code>/*</code>. <code>always</code>
+ Filter</a> enabled; and the request matches the URLPatterns for the
CORS
+ fitler mapper.
means that all requests that appear to be CORS preflight requests will
bypass authentication. If not set, the default value is
<code>never</code>.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
