This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 31e120f238 Fix a bug in the handling of the special ** role
31e120f238 is described below
commit 31e120f2389d4e8a78cbc588faa1ef74621262c6
Author: Mark Thomas <[email protected]>
AuthorDate: Mon Apr 20 23:21:33 2026 +0100
Fix a bug in the handling of the special ** role
Requests to URIs with a constraint that only specified the ** role were
receiving 403 responses rather than 401.
---
.../catalina/authenticator/AuthenticatorBase.java | 6 +-
.../authenticator/TestDigestAuthenticatorB.java | 213 +++++++++++++++++++++
webapps/docs/changelog.xml | 6 +
3 files changed, 223 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index bf778f73a6..8bbb8ff349 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -529,9 +529,11 @@ public abstract class AuthenticatorBase extends ValveBase
implements Authenticat
if (constraints != null) {
hasAuthConstraint = true;
for (int i = 0; i < constraints.length && hasAuthConstraint; i++) {
- if (!constraints[i].getAuthConstraint()) {
+ if (constraints[i].getAllRoles() ||
constraints[i].getAuthenticatedUsers()) {
+ // NO-OP - has hasAuthConstraint
+ } else if (!constraints[i].getAuthConstraint()) {
hasAuthConstraint = false;
- } else if (!constraints[i].getAllRoles() &&
!constraints[i].getAuthenticatedUsers()) {
+ } else {
String[] roles = constraints[i].findAuthRoles();
if (roles == null || roles.length == 0) {
hasAuthConstraint = false;
diff --git
a/test/org/apache/catalina/authenticator/TestDigestAuthenticatorB.java
b/test/org/apache/catalina/authenticator/TestDigestAuthenticatorB.java
new file mode 100644
index 0000000000..9210b1780b
--- /dev/null
+++ b/test/org/apache/catalina/authenticator/TestDigestAuthenticatorB.java
@@ -0,0 +1,213 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.authenticator;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+
+import org.apache.catalina.Context;
+import org.apache.catalina.authenticator.DigestAuthenticator.AuthDigest;
+import org.apache.catalina.startup.TesterMapRealm;
+import org.apache.catalina.startup.TesterServlet;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.tomcat.util.buf.ByteChunk;
+import org.apache.tomcat.util.buf.HexUtils;
+import org.apache.tomcat.util.descriptor.web.LoginConfig;
+import org.apache.tomcat.util.descriptor.web.SecurityCollection;
+import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
+import org.apache.tomcat.util.security.ConcurrentMessageDigest;
+
+@RunWith(Parameterized.class)
+public class TestDigestAuthenticatorB extends TomcatBaseTest {
+
+ private static final String targetURI = "/test";
+ private static final String validUser = "user";
+ private static final String validPassword = "password";
+ private static final String validRole = "role";
+ private static final String realmName = "realm";
+ private static final String clientNonce = "cnonce";
+
+
+ @Parameterized.Parameters(name = "{index}")
+ public static Collection<Object[]> parameters() {
+ List<Object[]> parameterSets = new ArrayList<>();
+ parameterSets.add(new Object[] { validRole, validUser, validPassword
});
+ parameterSets.add(new Object[] { "**", validUser, validPassword });
+ return parameterSets;
+ }
+
+ @Parameter(0)
+ public String serverPermittedRole;
+
+ @Parameter(1)
+ public String clientUserName;
+
+ @Parameter(2)
+ public String clientPassword;
+
+
+ @Test
+ public void testDigestAuthentication() throws Exception {
+ // Configure a context with digest authentication and a single
protected resource
+ Tomcat tomcat = getTomcatInstance();
+
+ // No file system docBase required
+ Context ctxt = getProgrammaticRootContext();
+
+ // Add protected servlet
+ Tomcat.addServlet(ctxt, "TesterServlet", new TesterServlet());
+ ctxt.addServletMappingDecoded(targetURI, "TesterServlet");
+ SecurityCollection collection = new SecurityCollection();
+ collection.addPatternDecoded(targetURI);
+ SecurityConstraint sc = new SecurityConstraint();
+ sc.addAuthRole(serverPermittedRole);
+ sc.addCollection(collection);
+ ctxt.addConstraint(sc);
+
+ // Configure the Realm
+ TesterMapRealm realm = new TesterMapRealm();
+ realm.addUser(validUser, validPassword);
+ realm.addUserRole(validUser, validRole);
+
+ ctxt.setRealm(realm);
+
+ // Configure the authenticator
+ LoginConfig lc = new LoginConfig();
+ lc.setAuthMethod("DIGEST");
+ lc.setRealmName(realmName);
+ ctxt.setLoginConfig(lc);
+ DigestAuthenticator digestAuthenticator = new DigestAuthenticator();
+ ctxt.getPipeline().addValve(digestAuthenticator);
+
+ tomcat.start();
+
+ // The first request will always fail - but we need the challenge
+ Map<String,List<String>> respHeaders = new HashMap<>();
+ ByteChunk bc = new ByteChunk();
+ int rc = getUrl("http://localhost:"; + getPort() + targetURI, bc,
respHeaders);
+ Assert.assertEquals(401, rc);
+ Assert.assertTrue(bc.getLength() > 0);
+ bc.recycle();
+
+ // Second request should
+ List<String> auth = new ArrayList<>();
+ auth.add(buildDigestResponse(clientUserName, clientPassword,
targetURI, realmName, AuthDigest.SHA_256,
+ respHeaders.get(AuthenticatorBase.AUTH_HEADER_NAME),
"00000001", clientNonce, DigestAuthenticator.QOP));
+ Map<String,List<String>> reqHeaders = new HashMap<>();
+ reqHeaders.put("authorization", auth);
+ rc = getUrl("http://localhost:"; + getPort() + targetURI, bc,
reqHeaders, null);
+
+ Assert.assertEquals(200, rc);
+ Assert.assertEquals("OK", bc.toString());
+ }
+
+
+ protected static String getNonce(String authHeader) {
+ int start = authHeader.indexOf("nonce=\"") + 7;
+ int end = authHeader.indexOf('\"', start);
+ return authHeader.substring(start, end);
+ }
+
+
+ protected static String getOpaque(String authHeader) {
+ int start = authHeader.indexOf("opaque=\"") + 8;
+ int end = authHeader.indexOf('\"', start);
+ return authHeader.substring(start, end);
+ }
+
+
+ private static String buildDigestResponse(String user, String pwd, String
uri, String realm, AuthDigest algorithm,
+ List<String> authHeaders, String nc, String cnonce, String qop) {
+
+ // Find auth header with correct algorithm
+ String nonce = null;
+ String opaque = null;
+ for (String authHeader : authHeaders) {
+ nonce = getNonce(authHeader);
+ opaque = getOpaque(authHeader);
+ if (authHeader.contains("algorithm=" + algorithm.getRfcName())) {
+ break;
+ }
+ }
+ if (nonce == null || opaque == null) {
+ Assert.fail();
+ }
+
+ String a1 = user + ":" + realm + ":" + pwd;
+ String a2 = "GET:" + uri;
+
+ String digestA1 = digest(algorithm.getJavaName(), a1);
+ String digestA2 = digest(algorithm.getJavaName(), a2);
+
+ String response;
+ if (qop == null) {
+ response = digestA1 + ":" + nonce + ":" + digestA2;
+ } else {
+ response = digestA1 + ":" + nonce + ":" + nc + ":" + cnonce + ":"
+ qop + ":" + digestA2;
+ }
+
+ String digestResponse = digest(algorithm.getJavaName(), response);
+
+ StringBuilder auth = new StringBuilder();
+ auth.append("Digest username=\"");
+ auth.append(user);
+ auth.append("\", realm=\"");
+ auth.append(realm);
+ auth.append("\", algorithm=");
+ auth.append(algorithm.getRfcName());
+ auth.append(", nonce=\"");
+ auth.append(nonce);
+ auth.append("\", uri=\"");
+ auth.append(uri);
+ auth.append("\", opaque=\"");
+ auth.append(opaque);
+ auth.append("\", response=\"");
+ auth.append(digestResponse);
+ auth.append("\"");
+ if (qop != null) {
+ auth.append(", qop=");
+ auth.append(qop);
+ auth.append("");
+ }
+ if (nc != null) {
+ auth.append(", nc=");
+ auth.append(nc);
+ }
+ if (cnonce != null) {
+ auth.append(", cnonce=\"");
+ auth.append(cnonce);
+ auth.append("\"");
+ }
+
+ return auth.toString();
+ }
+
+
+ private static String digest(String algorithm, String input) {
+ return HexUtils.toHexString(ConcurrentMessageDigest.digest(algorithm,
input.getBytes()));
+ }
+}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 617d102b1e..0700a7ff31 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -210,6 +210,12 @@
<bug>70000</bug>: fix duplication of special headers in the response
after commit, following fix for <bug>69967</bug>. (remm)
</fix>
+ <fix>
+ Correct the handling of URIs mapped to a security constraint that only
+ specifies the special <code>**</code> role for all authenticated users.
+ Requests without authentication were receiving 403 responses rather
than
+ 401 responses. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
