On 03/05/18 20:17, Mark Thomas wrote: > On 02/05/18 16:08, Dirk Ooms wrote: >> Mark, >> >> you can reproduce it using the FormAuthentication example in the >> examples (http://localhost:8080/examples/jsp/security/protected/) >> >> edit index.jsp >> 1. add the line "RequestURI: <%= request.getRequestURI() %><br><br>" in >> begin of body >> 2. change the method of the form from GET to POST >> >> scenario: >> 1. go to http://localhost:8080/examples/jsp/security/protected/ >> 2. log in >> 3. open second tab/window to same url >> 4. log out in second tab/window >> 5. go to initial window and submit form >> 6. log in again >> 7. observe the malformed requestURI > > Thanks for the reproduction steps. They were a huge help. > > This was introduced in 8.5.x with some refactoring that reduced copying > between I/O buffers during request processing. Essentially, the saved > request body was over-writing the cached bytes for the URI.
Correction. It affects 8.0.x and earlier as well. I'll back port the fix for 8.0.x and 7.0.x. Mark > > I'll be committing a fix shortly which will be available in 9.0.9 and > 8.5.32 onwards. > > Mark > > >> >> see also attached screenshots (if they make it to the mailing list). >> >> dirk >> >> >> On 1 May 2018 at 16:20, Dirk Ooms <[email protected] >> <mailto:[email protected]>> wrote: >> >> apologies for the incomplete info. it is tomcat 9.0.6 >> >> i will try to set up a test case and get back to you. >> >> dirk >> >> >> On 1 May 2018 at 16:07, Mark Thomas <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 01/05/18 14:36, Dirk Ooms wrote: >> > Hello, >> > >> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using >> j_security_check. >> > >> > in tomcat5.5 when a user was not logged in and he/she requested a >> url, the >> > login page was returned and after logging in the user was given the >> > requested resource. when i requested request.getRequestURI() in my >> code the >> > returned uri was correct for both GET and POST. >> > >> > in tomcat9 this is not the case anymore for POST (for GET still >> ok). when i >> > call request.getRequestURI() after the user is logged in, it >> returns >> > "chString" in my case, which is a part of the name of the first >> form field >> > ("searchString") of the original POST. >> > >> > any idea? am i missing something? >> >> The exact Tomcat 9 version. >> >> A test case that demonstrates the issue. >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> <mailto:[email protected]> >> For additional commands, e-mail: [email protected] >> <mailto:[email protected]> >> >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
