Re: auth bug fix for 4.0.6

Thu, 07 Nov 2002 23:05:29 -0800 

As a non-4.x expert, your patch looks ok.  I would guess that it would still
have problems with a request to /foo/protected where the security-constraint
is only for /foo/protected/*.

----- Original Message -----
From: "Keith Wannamaker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 07, 2002 9:36 PM
Subject: auth bug fix for 4.0.6


> It turns out TC 4.0.6 has the same auth bug as 3.3--
> it challenges prior to redirects.  The immediate problem
> this causes is that some browsers will cache and send
> credentials for the entire domain after being challenged
> for a top level directory without a trailing slash.
>
> So 4.0.6 exhibits this wrong behavior:
>  GET /foo                       ->  401
>  GET /foo with auth             ->  301 to /foo/
>  GET /foo/ with auth            ->  200
>  GET /bar with auth  .. (browser will send auth to other realms!)
>
> With the following patch it will exhibit this correct behavior:
>  GET /foo                       ->  301 to /foo/
>  GET /foo/                      ->  401
>  GET /foo/ with auth            ->  200
>  GET /bar  WITHOUT auth
>
>
> I'll be glad to ci it, but those more in the know may
> have a better location for the fix in mind.
>
> Keith
>
>
> Index:
catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
> ===================================================================
> RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenti
cator/AuthenticatorBase.java,v
> retrieving revision 1.23.2.5
> diff -u -r1.23.2.5 AuthenticatorBase.java
> ---
catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
> 27 Feb 2002 17:42:58 -0000      1.23.2.5
> +++
catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
> 8 Nov 2002 05:25:06 -0000
> @@ -422,8 +422,18 @@
>              context.invokeNext(request, response);
>              return;
>          }
>          HttpRequest hrequest = (HttpRequest) request;
>          HttpResponse hresponse = (HttpResponse) response;
> +
> +        // Do not authenticate prior to redirects
> +        String uri = ((HttpServletRequest)
request.getRequest()).getRequestURI();
> +        if (uri.length() > 0 && ! uri.endsWith("/") &&
> +            uri.equals(request.getContext().getName())) {
> +            context.invokeNext(request, response);
> +            return;
> +        }
> +
>          if (debug >= 1)
>              log("Security checking request " +
>                  ((HttpServletRequest) request.getRequest()).getMethod() +
" " +
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@;jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>

Reply via email to