As a non-4.x expert, your patch looks ok. I would guess that it would still have problems with a request to /foo/protected where the security-constraint is only for /foo/protected/*.
----- Original Message ----- From: "Keith Wannamaker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 07, 2002 9:36 PM Subject: auth bug fix for 4.0.6 > It turns out TC 4.0.6 has the same auth bug as 3.3-- > it challenges prior to redirects. The immediate problem > this causes is that some browsers will cache and send > credentials for the entire domain after being challenged > for a top level directory without a trailing slash. > > So 4.0.6 exhibits this wrong behavior: > GET /foo -> 401 > GET /foo with auth -> 301 to /foo/ > GET /foo/ with auth -> 200 > GET /bar with auth .. (browser will send auth to other realms!) > > With the following patch it will exhibit this correct behavior: > GET /foo -> 301 to /foo/ > GET /foo/ -> 401 > GET /foo/ with auth -> 200 > GET /bar WITHOUT auth > > > I'll be glad to ci it, but those more in the know may > have a better location for the fix in mind. > > Keith > > > Index: catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java > =================================================================== > RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenti cator/AuthenticatorBase.java,v > retrieving revision 1.23.2.5 > diff -u -r1.23.2.5 AuthenticatorBase.java > --- catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java > 27 Feb 2002 17:42:58 -0000 1.23.2.5 > +++ catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java > 8 Nov 2002 05:25:06 -0000 > @@ -422,8 +422,18 @@ > context.invokeNext(request, response); > return; > } > HttpRequest hrequest = (HttpRequest) request; > HttpResponse hresponse = (HttpResponse) response; > + > + // Do not authenticate prior to redirects > + String uri = ((HttpServletRequest) request.getRequest()).getRequestURI(); > + if (uri.length() > 0 && ! uri.endsWith("/") && > + uri.equals(request.getContext().getName())) { > + context.invokeNext(request, response); > + return; > + } > + > if (debug >= 1) > log("Security checking request " + > ((HttpServletRequest) request.getRequest()).getMethod() + " " + > > > -- > To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org> > -- To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>