https://bz.apache.org/bugzilla/show_bug.cgi?id=67198
Bug ID: 67198
Summary: AuthType not set if tomcatAuthentication is set to
true or left empty
Product: Tomcat 9
Version: 9.0.79
Hardware: PC
OS: Linux
Status: NEW
Severity: minor
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: robert.rodew...@kopsis.com
Target Milestone: -----
We are using Tomcat behind an Apache HTTPD with mod_proxy_ajp.
The Apache HTTPD server is doing authentication by means of mod_auth_mellon and
the authentication is propagated to Tomcat by using tomcatAuthorization="true"
on the connector. This works perfectly.
The problem is that request.getAuthType() ("Mellon" in our case) does not get
propagated from Apache HTTPD if tomcatAuthentication is not explicitly set to
"false", which does not conform to the documentation.
The documentation of tomcatAuthentication says that:
"The default value is true. If tomcatAuthorization is set to true this
attribute has no effect."
It has the effect that the AuthType is not set if not set to "false".
In my opinion the propagation of this value should not be dependent on
tomcatAuthentication being set to "false".
The cause of this behavior is the following code snippet in AjpProcessor:
case Constants.SC_A_AUTH_TYPE:
if (protocol.getTomcatAuthentication()) {
// ignore server
requestHeaderMessage.getBytes(tmpMB);
} else {
requestHeaderMessage.getBytes(request.getAuthType());
}
break;
We could change the if condition to (protocol.getTomcatAuthentication() ||
protocaol.getTomcatAuthorization())? I would be willing to submit a pull
request, if this solution is accepted.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
