Bill Barker wrote: >> I think it is reasonable to fix it. >> >> This can be serious - if someone relies on application isolation ( like >> a hosting environment ), the consequences can be really bad, with >> one webapp guessing the credentials of another one. >> The fix seems reasonably simple and clean. >> > > Except that it isn't really a fix. Like Remy, I'd like to see a more > general fix (e.g. using the new 5.0 Mapper). However, I won't -1 if Keith > wants to commit his patch. It does fix the worst-case condition.
Let's call it "a small improvement" :-) Costin > >> Costin >> >> Keith Wannamaker wrote: >> >> > Greetings, >> > >> > I brought this up in November. Remy and I have a disagreement >> > on how important fixing this bug is. I want to see if there is >> > a quorum of other committers who understand the problem and think >> > it should be fixed prior to the next stable build release of 4.1. >> > >> > The immediate problem is that current Tomcat behavior causes >> > browsers to submit auth credentials to webapps other than the >> > webapp who originally sent the 401 challenge. >> > >> > Most web servers, like Apache, are careful to redirect for >> > trailing slashes before challenging for authentication. Tomcat >> > does this backward. The result is the client will usually cache >> > the need for auth for the entire domain and not just a single >> > webapp. >> > >> > Here is a repeat of the scenario I mentioned in November >> > <http://marc.theaimsgroup.com/?l=tomcat-dev&m=103673355109222&w=2> >> > >> > <Context path="/foo" docBase="foo" /> >> > <Context path="/bar" docBase="bar" /> >> > >> > foo and bar web.xml protected with >> > <security-constraint> >> > <web-resource-collection> >> > <web-resource-name>name </web-resource-name> >> > <url-pattern>/*</url-pattern> >> > </web-resource-collection> >> > <auth-constraint> >> > <role-name>admin</role-name> >> > </auth-constraint> >> > </security-constraint> >> > >> > Current behavior: >> > Request Response >> > GET /foo 401 >> > (at this point browsers will send credentials to any url in this > domain) >> > GET /foo with auth 301 redirect to /foo/ >> > GET /foo/ 200 >> > GET /bar with auth >> > ^^^^^^^^^ >> > >> > Correct behavior: >> > GET /foo 301 redirect to /foo/ >> > GET /foo/ 401 >> > GET /foo/ with auth 200 >> > GET /bar without auth >> > ^^^^^^^^^^^^ >> > >> > My proposed patch is attached to bug 14616 >> > <http://issues.apache.org/bugzilla/show_bug.cgi?id=14616> >> > While this does not cover the case of subdirectories within >> > a context, it does fix the most egregious case for context >> > roots. >> > >> > Please comment if you are not comfortable with credentials being >> > inadvertently shared between all webapps on a given domain. >> > >> > Keith >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
