I just submitted bug 42120. It appears that Apache is improperly (at
least I think it's improper) matching Location blocks when doing
authentication if a path component parameter is passed on.
Specifically, something like this
<Location /webapp/servlet/SomeServlet>
{Auth stuff}
</Location>
In this scenario, if I hit http://server/webapp/servlet/SomeServlet I'll
be properly challenged. However, if I generate a servlet URL with the
jsession ID as a parameter rather than a cookie, the URL will look
something like
http://server/webapp/servlet/SomeServlet;jsessionid=[sessionid] and
Apache fails to properly challenge for authentication.
There are a number of potential workarounds (LocationMatch, or Multiple
Location blocks to deal with the ;* pattern) but it does seem like this
is a bug unless someone can clarify RFC 2396 section 3.3 for me and
explain why it isn't.
Agree or disagree?
Thanks,
Andy
