On Sun, 15 Jul 2001, Nils O. Sel�sdal wrote:
> Ok, i needed to put some security constraints to a dircetory, so I added this
> to my web.xml:
> <security-constraint>
> <display-name>UQoS Amin Area</display-name>
> <web-resource-collection>
> <web-resource-name>UQoS Amin Area</web-resource-name>
> <url-pattern>/admin/*</url-pattern>
> </web-resource-collection>
> I use BASIC authentication using the memory realm.
> Works like it supposed to when someone goes to my http://xxx/webapp/Admin/ or
> something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or even
> more slashes), all security checkings are bypassed, anyone arr let right in !
> (same things happens always, try it with the 'security' example shipped with
> Tomcat.
> Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat
> 3.2.1 and 3.2.2.
> And I need it fixedas soon as possible. Does anyone know a workaround to
> thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed here.)
It's not completely fixed in 4 -- some request URI paths still let you in.
> --
> Nils O. Sel�sdal
>
Yep ... it is a serious bug, affecting all versions of Tomcat, and there
is no workaround. The problem relates to the fact that "normalization" of
the request URI (i.e. removing "//" and "/./", and compacting "/../") is
not being performed consistently. This is going to be fixed (in all
versions) such that the request URI received by the server will be
normalized *before* being used to map to a servlet, or to select a
security constraint. As a side effect, the value returned when you call
request.getRequestURI() will always be normalized.
Look for announcements of the availability of patched versions shortly.
Craig McClanahan
