Here are my diffs to allow mod_jk to understand URIs of the form
/context/*whatever
and for ApacheConfig to write entries to mod_jk.conf-auto of the form
/context/*j_security_check
Combined, these patches should allow form-based authentication to work with
Apache+tomcat
If anyone sees any glaring problems with the modifications, please
let me know and I'll try and fix it.
-Mike Jennings
----- Original Message -----
From: "Michael Jennings" <[EMAIL PROTECTED]>
To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Sent: Friday, November 02, 2001 6:38 PM
Subject: Re: patch to jk_uri_worker_map.c -> slightly more sophisticated
string matching
> Hi Costin & Larry,
>
> I'll apply my change to jakarta-tomcat-connectors then send the diff as an
> attachment.
>
> -Mike
>
>
> ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: "Tomcat Developers List" <[EMAIL PROTECTED]>
> Sent: Friday, November 02, 2001 12:08 PM
> Subject: Re: patch to jk_uri_worker_map.c -> slightly more sophisticated
> string matching
>
>
> > Mike,
> >
> > Thanks for the patch and your interest. One small problem: the
development
> > of jk moved to jakarta-tomcat-connectors. We should do only 'major' bug
> > fixes in j-t/src/native.
> >
> > Of course, all rules have exceptions - but it is extremely painfull to
> > merge and track 2 codebases.
> >
> > Costin
> >
> >
> > On Fri, 2 Nov 2001, Michael Jennings wrote:
> >
> > > If anyone sees any glaring problems with the following modification to
> > > mod_jk
> > > please let me know.
> > >
> > > -Mike Jennings
> > >
> > > Index: jakarta-tomcat/src/native/jk/jk_uri_worker_map.c
> > > ===================================================================
> > > RCS file:
> > >
/home/cvspublic/jakarta-tomcat/src/native/jk/Attic/jk_uri_worker_map.c,v
> > > retrieving revision 1.3.2.1
> > > diff -r1.3.2.1 jk_uri_worker_map.c
> > > 75,77c75,78
> > > < #define MATCH_TYPE_EXACT (0)
> > > < #define MATCH_TYPE_CONTEXT (1)
> > > < #define MATCH_TYPE_SUFFIX (2)
> > > ---
> > > > #define MATCH_TYPE_EXACT (0) /* match an exact pattern */
> > > > #define MATCH_TYPE_CONTEXT (1) /* match all URIs in a given
context
> */
> > > > #define MATCH_TYPE_SUFFIX (2) /* match all URIs of the form
*.ext
> */
> > > > #define MATCH_TYPE_GENERAL_SUFFIX (3) /* match all URIs of the form
> *ext
> > > */
> > > 231c232
> > > <
> > > ---
> > > >
> > > 236,237c237,238
> > > < jk_log(l, JK_LOG_ERROR,
> > > <
> > > "jk_uri_worker_map_t::uri_worker_map_open, malloc failed\n");
> > > ---
> > > > jk_log(l, JK_LOG_ERROR,
> > > >
> > > "jk_uri_worker_map_t::uri_worker_map_open, malloc failed\n");
> > > 244,245c245,246
> > > < * we need to have a '/' then a '*' and
> the a
> > > '.' or a
> > > < * '/' then a '*'
> > > ---
> > > > * we need to have a '/' then a '*' and
> the a
> > > '.' or a
> > > > * '/' then a '*'
> > > 247c248,252
> > > < asterisk--;
> > > ---
> > > > asterisk--; /* point to char before
> asterisk
> > > */
> > > > /* asterisk[0]='/'
> > > > asterisk[1]='*'
> > > > asterisk[2]='.' or asterisk[2]='\0'
or
> > > asterisk[2]!='\0'
> > > > */
> > > 248a254
> > > > asterisk[1] = '\0'; /* terminate the
> uri
> > > pattern at the asterisk */
> > > 251c257
> > > < asterisk[1] = asterisk[2] =
'\0';
> > > ---
> > > > asterisk[2] = '\0';
> > > 252a259,260
> > > > /* uri-pattern will now contain
> > > context only
> > > > since asterisk[1]='\0' */
> > > 256,258c264,276
> > > < jk_log(l, JK_LOG_DEBUG,
> > > < "Into
> > > jk_uri_worker_map_t::uri_worker_map_open, suffix rule %s.%s=%s was
> added\n",
> > > < uri, asterisk + 3,
worker);
> > > ---
> > > > jk_log(l, JK_LOG_DEBUG,
> > > > "Into
> > > jk_uri_worker_map_t::uri_worker_map_open, suffix rule %s.%s=%s was
> added\n",
> > > > uri, asterisk + 3,
worker);
> > > > j++;
> > > > } else if ('\0' != asterisk[2]) {
> > > > /* general suffix rule */
> > > > uw_map->maps[j].worker_name =
> worker;
> > > > uw_map->maps[j].context = uri;
> > > > uw_map->maps[j].suffix =
asterisk
> +
> > > 2;
> > > > uw_map->maps[j].match_type =
> > > MATCH_TYPE_GENERAL_SUFFIX;
> > > > jk_log(l, JK_LOG_DEBUG,
> > > > "Into
> > > jk_uri_worker_map_t::uri_worker_map_open, general suffix rule %s*%s=%s
> was
> > > added\n",
> > > > uri, asterisk + 2,
worker);
> > > 260c278,279
> > > < } else {
> > > ---
> > > > }
> > > > else {
> > > 262d280
> > > < asterisk[1] = '\0';
> > > 267,269c285,287
> > > < jk_log(l, JK_LOG_DEBUG,
> > > < "Into
> > > jk_uri_worker_map_t::uri_worker_map_open, match rule %s=%s was
added\n",
> > > < uri, worker);
> > > ---
> > > > jk_log(l, JK_LOG_DEBUG,
> > > > "Into
> > > jk_uri_worker_map_t::uri_worker_map_open, match rule %s=%s was
added\n",
> > > > uri, worker);
> > > 273c291
> > > < /* not leagal !!! */
> > > ---
> > > > /* not legal !!! */
> > > 275c293
> > > <
> > > "jk_uri_worker_map_t::uri_worker_map_open, [%s=%s] not a leagal
rule\n",
> > > ---
> > > >
> > > "jk_uri_worker_map_t::uri_worker_map_open, [%s=%s] not a legal
rule\n",
> > > 321a340,353
> > > > /* returns the index of the last occurrence of the 'ch' character
> > > > if ch=='\0' returns the length of the string str
> > > > */
> > > > int last_index_of(const char *str,char ch)
> > > > {
> > > > const char *str_minus_one=str-1;
> > > > const char *s=str+strlen(str);
> > > > while(s!=str_minus_one && ch!=*s)
> > > > {
> > > > --s;
> > > > }
> > > > return (s-str);
> > > > }
> > > >
> > > 379a412,419
> > > > } else if(MATCH_TYPE_GENERAL_SUFFIX ==
> > > uw_map->maps[i].match_type) {
> > > > int
> > > suffix_start=last_index_of(uri,uw_map->maps[i].suffix[0]);
> > > > if (suffix_start>=0 &&
> > > 0==strcmp(uri+suffix_start,uw_map->maps[i].suffix)) {
> > > > if(uw_map->maps[i].ctxt_len >= longest_match) {
> > > > longest_match = uw_map->maps[i].ctxt_len;
> > > > best_match = i;
> > > > }
> > > > }
> > > 382,385c422,425
> > > <
> > > < for(suffix_start = strlen(uri) - 1 ;
> > > < suffix_start > 0 && '.' !=
uri[suffix_start];
> > > < suffix_start--)
> > > ---
> > > >
> > > > for(suffix_start = strlen(uri) - 1 ;
> > > > suffix_start > 0 && '.' !=
uri[suffix_start];
> > > > suffix_start--)
> > > 391c431
> > > < #ifdef WIN32
> > > ---
> > > > #ifdef WIN32
> > >
> > >
> > > ----- Original Message -----
> > > From: "Larry Isaacs" <[EMAIL PROTECTED]>
> > > To: "'Tomcat Developers List'" <[EMAIL PROTECTED]>
> > > Sent: Thursday, November 01, 2001 12:32 PM
> > > Subject: RE: Does anyone see anything wrong with this fix?
> > >
> > >
> > > > It isn't a matter of how the '*' is interpreted, but that
> > > > mod_jk will put a null terminator following the '*' if the
> > > > next character isn't a '.'. Thus:
> > > >
> > > > JkMount /*something ...
> > > >
> > > > and
> > > >
> > > > JkMount /* ...
> > > >
> > > > end up being equivalent. So far no one has found time to
> > > > add more sophisticated string matching. Feel free to
> > > > submit a patch, though this should be against mod_jk
> > > > in jakarta-tomcat-connectors.
> > > >
> > > > There was an earlier attempt in Tomcat 3.3 to have mod_jk
> > > > work with Handler directives in the httpd.conf. This would
> > > > allow Apache's pattern matching abilities to be used to
> > > > map requests to Tomcat. It wasn't feasible to finish this
> > > > approach, so it was removed from Tomcat 3.3. It may still
> > > > get implemented in the jakarta-tomcat-connectors version
> > > > of mod_jk, assuming a better approach doesn't present itself.
> > > >
> > > > Larry
> > > >
> > > > > -----Original Message-----
> > > > > From: Michael Jennings [mailto:[EMAIL PROTECTED]]
> > > > > Sent: Thursday, November 01, 2001 3:14 PM
> > > > > To: Tomcat Developers List
> > > > > Subject: Re: Does anyone see anything wrong with this fix?
> > > > >
> > > > >
> > > > > Thanks for the feedback.
> > > > >
> > > > > So "/path/*.something"
> > > > > will handle URI's like "/path/sub1/sub2/file.something"
> > > > > "/path/sub1/sub2/anotherfilename.something"
> > > > >
> > > > > but "/path/*something" will NOT handle URI's like
> > > > > "/path/sub1/sub2/here_is_something"
> > > > > or
> > > > > "/path/moreofsomething"
> > > > > or
> > > > > "/path/sub1/sub2/sub3/something"
> > > > >
> > > > > So the asterisk can only be used in conjunction with a dot as in
> > > > > "*.something" as far as URI mapping is concerned?
> > > > >
> > > > > So the real wildcard sequence is actually "*." and "*xyz" is
> > > > > interpreted as
> > > > > "*"?
> > > > >
> > > > > Wouldn't it be better to make mod_jk deal with wildcards a
> > > > > little bit more
> > > > > intelligently, or am I missing something? (which is more likely)
> > > > >
> > > > > -Mike Jennings
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Larry Isaacs" <[EMAIL PROTECTED]>
> > > > > To: "'Tomcat Developers List'" <[EMAIL PROTECTED]>
> > > > > Sent: Thursday, November 01, 2001 10:42 AM
> > > > > Subject: RE: Does anyone see anything wrong with this fix?
> > > > >
> > > > >
> > > > > > I believe mod_jk's JkMount currently only accepts mappings in
the
> > > > > > form:
> > > > > >
> > > > > > JkMount /path/*
> > > > > > JkMount /path/*.ext
> > > > > >
> > > > > > Something like:
> > > > > >
> > > > > > JkMount /path/*something
> > > > > >
> > > > > > is another way of saying:
> > > > > >
> > > > > > JkMount /path/*
> > > > > >
> > > > > > which makes the other settings written irrelevant since all
> > > > > > requests will be mapped to Tomcat. See the:
> > > > > >
> > > > > > /* context based */
> > > > > > asterisk[1] = '\0';
> > > > > >
> > > > > > in jk_uri_worker_map.c file.
> > > > > >
> > > > > > Tomcat 3.3 deals with this by having the generated mod_jk.conf
> > > > > > use the "JkMount /path/*" approach by default. If you add
> > > > > > forwardAll="false" to the ApacheConfig line in server.xml,
> > > > > > it will write a mod_jk.conf similar to that of Tomcat 3.2.x,
> > > > > > but with additional mappings. These additional mappings for
> > > > > > the context will include one like the following:
> > > > > >
> > > > > > JkMount /examples/jsp/security/login/j_security_check ajp13
> > > > > >
> > > > > > If you want "j_security_check" to work in Tomcat 3.2.x without
> > > > > > mapping all requests to Tomcat, you will need to add mappings
> > > > > > like this. It is beyond the scope of Tomcat 3.2.x development
> > > > > > to back port Tomcat 3.3's behavior to Tomcat 3.2.x.
> > > > > >
> > > > > > Cheers,
> > > > > > Larry
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Michael Jennings [mailto:[EMAIL PROTECTED]]
> > > > > > > Sent: Thursday, November 01, 2001 12:35 PM
> > > > > > > To: [EMAIL PROTECTED]
> > > > > > > Subject: Does anyone see anything wrong with this fix?
> > > > > > >
> > > > > > >
> > > > > > > As far as I can tell, the following modification to the
> > > > > > > ApacheConfig.java class will
> > > > > > > enable form-based authentication to work for people using
> > > > > > > mod_jk.conf-auto
> > > > > > > with Apache.
> > > > > > >
> > > > > > >
> > > > > > > mod_jk needs to be told to handle requests of the form
> > > > > > > "/webapproot/somedir/j_security_check"
> > > > > > >
> > > > > > > since a login.jsp page (for form-based authentication)
> > > > > may exist at
> > > > > > > "/webapproot/somedir/login.jsp" and may specify
> "j_security_check"
> > > > > > > as the target of a form submission. In order for the
> > > > > > > form-based authentication
> > > > > > > machinery to work, it needs to get the POST request that
> > > > > is going to
> > > > > > > "/webapproot/somedir/j_security_check"
> > > > > > > which means that pattern has to be present in the
> mod_jk.conf-auto
> > > > > > >
> > > > > > > ie: the following line must be in the mod_jk configuration
file:
> > > > > > > JkMount /webapproot/*j_security_check ajp12
> > > > > > >
> > > > > > > Does anyone see any potential problems with this?
> > > > > > >
> > > > > > > -Mike Jennings
> > > > > > >
> > > > > > > Index:
> > > > > > >
> jakarta-tomcat/src/share/org/apache/tomcat/task/ApacheConfig.java
> > > > > > >
> > > > >
===================================================================
> > > > > > > RCS file:
> > > > > > > /home/cvspublic/jakarta-tomcat/src/share/org/apache/tomcat/tas
> > > > > > > k/Attic/ApacheConfig.java,v
> > > > > > > retrieving revision 1.12.2.2
> > > > > > > diff -r1.12.2.2 ApacheConfig.java
> > > > > > > 202a203
> > > > > > > > mod_jk.println("JkMount /*j_security_check ajp12");
> > > > > > > 289a291
> > > > > > > > mod_jk.println("JkMount " + path
> > > > > +"/*j_security_check ajp12");
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > --
> > > > > > To unsubscribe, e-mail:
> > > > > <mailto:[EMAIL PROTECTED]>
> > > > > > For additional commands, e-mail:
> > > > > <mailto:[EMAIL PROTECTED]>
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > To unsubscribe, e-mail:
> > > > > <mailto:[EMAIL PROTECTED]>
> > > > > For additional commands, e-mail:
> > > > > <mailto:[EMAIL PROTECTED]>
> > > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > > For additional commands, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > >
> > > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>
Index: jakarta-tomcat-connectors/jk/native/common/jk_uri_worker_map.c
===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat-connectors/jk/native/common/jk_uri_worker_map.c,v
retrieving revision 1.9
diff -r1.9 jk_uri_worker_map.c
77,79c77,80
< #define MATCH_TYPE_EXACT (0)
< #define MATCH_TYPE_CONTEXT (1)
< #define MATCH_TYPE_SUFFIX (2)
---
> #define MATCH_TYPE_EXACT (0) /* match an exact pattern */
> #define MATCH_TYPE_CONTEXT (1) /* match all URIs in a given context */
> #define MATCH_TYPE_SUFFIX (2) /* match all URIs of the form *.ext */
> #define MATCH_TYPE_GENERAL_SUFFIX (3) /* match all URIs of the form *ext */
279c280
< asterisk[1] =
---
> asterisk[1] =
288c289,300
< } else {
---
> } else if ('\0' != asterisk[2]) {
> /* general suffix rule */
> asterisk[1] = '\0';
> uwr->worker_name = worker;
> uwr->context = uri;
> uwr->suffix = asterisk + 2;
> uwr->match_type = MATCH_TYPE_GENERAL_SUFFIX;
> jk_log(l, JK_LOG_DEBUG,
> "Into jk_uri_worker_map_t::uri_worker_map_open, general
>suffix rule %s*%s=%s was added\n",
> uri, asterisk + 2, worker);
> }
> else {
416a429,441
> /* returns the index of the last occurrence of the 'ch' character
> if ch=='\0' returns the length of the string str */
> int last_index_of(const char *str,char ch)
> {
> const char *str_minus_one=str-1;
> const char *s=str+strlen(str);
> while(s!=str_minus_one && ch!=*s)
> {
> --s;
> }
> return (s-str);
> }
>
468a494,506
> } else if(MATCH_TYPE_GENERAL_SUFFIX == uwr->match_type) {
> int suffix_start=last_index_of(uri,uwr->suffix[0]);
> if (suffix_start>=0 && 0==strcmp(uri+suffix_start,uwr->suffix)) {
> if(uwr->ctxt_len >= longest_match) {
> jk_log(l,
> JK_LOG_DEBUG,
> "jk_uri_worker_map_t::map_uri_to_worker, Found
>a general suffix match %s -> *%s\n",
> uwr->worker_name,
> uwr->suffix );
> longest_match = uwr->ctxt_len;
> best_match = i;
> }
> }
Index: jakarta-tomcat/src/share/org/apache/tomcat/task/ApacheConfig.java
===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat/src/share/org/apache/tomcat/task/Attic/ApacheConfig.java,v
retrieving revision 1.12.2.2
diff -r1.12.2.2 ApacheConfig.java
202a203
> mod_jk.println("JkMount /*j_security_check ajp12");
289a291
> mod_jk.println("JkMount " + path +"/*j_security_check ajp12");
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
