Author: markt
Date: Wed Oct 20 21:55:30 2010
New Revision: 1025775
URL: http://svn.apache.org/viewvc?rev=1025775&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=3839
Provide a mechanism to gracefully handle the case where users book-mark the
form login page or otherwise abuse the FORM authentication process.
Based on a suggestion by Mark Morris.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/valve.xml
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1025775&r1=1025774&r2=1025775&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
Wed Oct 20 21:55:30 2010
@@ -75,6 +75,12 @@ public class FormAuthenticator
*/
protected String characterEncoding = null;
+ /**
+ * Landing page to use if a user tries to access the login page directly or
+ * if the session times out during login. If not set, error responses will
+ * be sent instead.
+ */
+ protected String landingPage = null;
// ------------------------------------------------------------- Properties
@@ -106,6 +112,22 @@ public class FormAuthenticator
}
+ /**
+ * Return the landing page to use when FORM auth is mis-used.
+ */
+ public String getLandingPage() {
+ return landingPage;
+ }
+
+
+ /**
+ * Set the landing page to use when the FORM auth is mis-used.
+ */
+ public void setLandingPage(String landingPage) {
+ this.landingPage = landingPage;
+ }
+
+
// --------------------------------------------------------- Public Methods
@@ -273,8 +295,19 @@ public class FormAuthenticator
if (containerLog.isDebugEnabled())
containerLog.debug
("User took so long to log on the session expired");
- response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
- sm.getString("authenticator.sessionExpired"));
+ if (landingPage == null) {
+ response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
+ sm.getString("authenticator.sessionExpired"));
+ } else {
+ // Make the authenticator think the user originally requested
+ // the landing page
+ String uri = request.getContextPath() + landingPage;
+ SavedRequest saved = new SavedRequest();
+ saved.setRequestURI(uri);
+ request.getSessionInternal(true).setNote(
+ Constants.FORM_REQUEST_NOTE, saved);
+ response.sendRedirect(response.encodeRedirectURL(uri));
+ }
return (false);
}
@@ -291,8 +324,18 @@ public class FormAuthenticator
if (log.isDebugEnabled())
log.debug("Redirecting to original '" + requestURI + "'");
if (requestURI == null)
- response.sendError(HttpServletResponse.SC_BAD_REQUEST,
- sm.getString("authenticator.formlogin"));
+ if (landingPage == null) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST,
+ sm.getString("authenticator.formlogin"));
+ } else {
+ // Make the authenticator think the user originally requested
+ // the landing page
+ String uri = request.getContextPath() + landingPage;
+ SavedRequest saved = new SavedRequest();
+ saved.setRequestURI(uri);
+ session.setNote(Constants.FORM_REQUEST_NOTE, saved);
+ response.sendRedirect(response.encodeRedirectURL(uri));
+ }
else
response.sendRedirect(response.encodeRedirectURL(requestURI));
return (false);
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1025775&r1=1025774&r2=1025775&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Oct 20 21:55:30 2010
@@ -40,6 +40,11 @@
<subsection name="Catalina">
<changelog>
<fix>
+ <bug>3839</bug>: Provide a mechanism to gracefully handle the case
where
+ users book-mark the form login page or otherwise misuse the FORM
+ authentication process. Based on a suggestion by Mark Morris. (markt)
+ </fix>
+ <fix>
<bug>49991</bug>: Ensure servlet request listeners are fired for
the login and error pages during FORM authentication. (markt)
</fix>
Modified: tomcat/trunk/webapps/docs/config/valve.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=1025775&r1=1025774&r2=1025775&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/trunk/webapps/docs/config/valve.xml Wed Oct 20 21:55:30 2010
@@ -552,6 +552,19 @@
workaround for browser caching issues. If not set, the default value of
<code>true</code> will be used.</p>
</attribute>
+
+ <attribute name="landingPage" required="false">
+ <p>Controls the behavior of the FORM authentication process if the
+ process is misused, for example by directly requesting the login page
+ or delaying logging in for so long that the session expires. If this
+ attribute is set, rather than returning an error response code, Tomcat
+ will redirect the user to the specified landing page if the login form
+ is submitted with valid credentials. For the login to be processed, the
+ landing page must be a protected resource (i.e. one that requires
+ authentication). If the landing page does not require authentication
+ then the user will not be logged in and will be prompted for their
+ credentials again when they access a protected page.</p>
+ </attribute>
<attribute name="securePagesWithPragma" required="false">
<p>Controls the caching of pages that are protected by security
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
