cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
billbarker2004/11/20 18:47:01
Modified:src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
Process the redirect to https if the redirectPort is specified
Revision ChangesPath
1.23 +15 -0
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- AccessInterceptor.java25 Feb 2004 06:52:40 - 1.22
+++ AccessInterceptor.java21 Nov 2004 02:47:01 - 1.23
@@ -305,6 +305,21 @@
if( CONFIDENTIAL.equalsIgnoreCase(transp) ||
INTEGRAL.equalsIgnoreCase(transp) ) {
if( ! req.scheme().equals(https)) {
+ Integer rp =
(Integer)req.getAttribute(org.apache.tomcat.request.redirectPort);
+ if(rp != null rp.intValue() 0) {
+ StringBuffer rsb = new StringBuffer();
+ rsb.append(https://;).append(req.serverName());
+ if(rp.intValue() != 443) {
+ rsb.append(':').append(rp);
+ }
+ rsb.append(req.requestURI());
+ if(!req.query().isNull()) {
+ rsb.append('?').append(req.query());
+ }
+ req.setAttribute(javax.servlet.error.message,
+ rsb.toString());
+ return 301;
+ }
// We could redirect or do something advanced - but the spec
// only requires us to deny access. A nice error handler
// would also be nice
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
billbarker01/12/07 20:50:41
Modified:src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
Fix the position of ;jsessionid on 401 responses.
The original code didn't work if the protected servlet was being called with a query
string (it put the ;jsessionid after the query string, so it becomes lost). Now it is
stuck to the requestURI where it belongs.
Revision ChangesPath
1.20 +4 -3
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- AccessInterceptor.java2001/10/27 02:12:19 1.19
+++ AccessInterceptor.java2001/12/08 04:50:41 1.20
@@ -527,9 +527,7 @@
if( debug0) log( Username = + username);
String originalLocation = req.requestURI().toString();
- if (req.queryString().toString() != null
- !req.queryString().toString().equals())
- originalLocation += ? + req.queryString().toString();
+
//XXX is needed to put the JVM route too?
if (noSession
|| Request.SESSIONID_FROM_URL.equals(req.getSessionIdSource())) {
@@ -538,6 +536,9 @@
originalLocation += id ;
page += id ;
}
+ if (req.queryString().toString() != null
+ !req.queryString().toString().equals())
+ originalLocation += ? + req.queryString().toString();
session.setAttribute( tomcat.auth.originalLocation,
originalLocation);
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
billbarker01/10/26 19:12:19
Modified:src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
With the old code, if you have a context /foo and set it's login page to
/foologin.html, horrible things would happen to you. With this, the context has to
be the first component in order to fail.
Of course, having a /foo sub-directory of the context will still fail, but I can
later that one.
Revision ChangesPath
1.19 +2 -2
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- AccessInterceptor.java2001/10/03 05:38:44 1.18
+++ AccessInterceptor.java2001/10/27 02:12:19 1.19
@@ -160,7 +160,7 @@
String cpath=ctx.getPath();
// Workaround for common error - ctx path included
- if( page.startsWith( cpath ) ) {
+ if( page.startsWith( cpath + / ) ) {
if( ! (.equals(cpath) || /.equals(cpath)) )
ctx.log(FORM: WARNING, login page starts with +
context path + page + + cpath );
@@ -168,7 +168,7 @@
page= cpath + page;
- if( errorPage.startsWith( cpath ) ) {
+ if( errorPage.startsWith( cpath + / ) ) {
if( ! (/.equals(cpath) || .equals( cpath )) )
ctx.log(FORM: WARNING, error page starts with +
context path + errorPage);
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
billbarker01/10/02 22:38:44
Modified:src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
Add a check for INTEGRAL transport-guarantee.
This gets us in line with the recommended behavior in the servlet spec (that
INTEGRAL should imply SSL).
Revision ChangesPath
1.18 +4 -3
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- AccessInterceptor.java2001/09/23 03:26:32 1.17
+++ AccessInterceptor.java2001/10/03 05:38:44 1.18
@@ -333,10 +333,11 @@
transp=(String)req.getNote( reqTransportNote );
}
- // Check transport. We only verify CONFIDENTIAL, other auth modules
- // could do other tests
+ // Check transport. We verify CONFIDENTIAL and INTEGRAL,
+ // other auth modules could do other tests
if( debug 0 ) log( Transport + transp );
- if( CONFIDENTIAL.equalsIgnoreCase(transp) ) {
+ if( CONFIDENTIAL.equalsIgnoreCase(transp) ||
+ INTEGRAL.equalsIgnoreCase(transp) ) {
if( ! req.scheme().equals(https)) {
// We could redirect or do something advanced - but the spec
// only requires us to deny access. A nice error handler
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
nacho 01/09/22 20:26:32
Modified:src/share/org/apache/tomcat/modules/mappers
DecodeInterceptor.java
src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
Better messages for some 403 statuses, returned when unsafe URLS
or when trying to access WEB-INF dir.
Revision ChangesPath
1.8 +3 -2
jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java
Index: DecodeInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/mappers/DecodeInterceptor.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- DecodeInterceptor.java2001/08/12 01:47:59 1.7
+++ DecodeInterceptor.java2001/09/23 03:26:32 1.8
@@ -296,9 +296,10 @@
// throw new RuntimeException(ASSERT: ? in requestURI);
// If path is unsafe, return forbidden
-if( safe !isSafeURI(pathMB) )
+if( safe !isSafeURI(pathMB) ){
+req.setAttribute(javax.servlet.error.message,Unsafe URL);
return 403;
-
+ }
if( normalize
( pathMB.indexOf(//) = 0 ||
pathMB.indexOf(/. ) =0
1.17 +4 -4
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- AccessInterceptor.java2001/09/14 04:13:35 1.16
+++ AccessInterceptor.java2001/09/23 03:26:32 1.17
@@ -258,10 +258,10 @@
int ctxPathLen=ctxPath.length();
// quick test
- if( reqURIMB.startsWithIgnoreCase( /META-INF, ctxPathLen) ) {
- return 403;
- }
- if( reqURIMB.startsWithIgnoreCase( /WEB-INF, ctxPathLen) ) {
+ if( reqURIMB.startsWithIgnoreCase( /META-INF, ctxPathLen) ||
+ reqURIMB.startsWithIgnoreCase( /WEB-INF, ctxPathLen) ) {
+req.setAttribute(javax.servlet.error.message,
+ Forbidden directory);
return 403;
}
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
costin 01/09/13 21:13:35
Modified:src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
Remove the result of too much cutpaste - thanks Attila Szegedi
[EMAIL PROTECTED]
for pointing this out.
Revision ChangesPath
1.16 +6 -19
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- AccessInterceptor.java2001/09/10 06:43:02 1.15
+++ AccessInterceptor.java2001/09/14 04:13:35 1.16
@@ -465,7 +465,10 @@
}
class BasicAuthHandler extends Handler {
-int sbNote=0;
+// it goes back with the 401 response, not visible to the user
+static final String errorMessage=
+ htmlheadtitleNot Authorized/title/head+
+ bodyNot Authorized/body/html;
BasicAuthHandler() {
// setOrigin( Handler.ORIGIN_INTERNAL );
@@ -485,24 +488,8 @@
// and notify the user they are not authorized if BasicAuth fails
res.setContentType(text/html);// ISO-8859-1 default
- if( sbNote==0 ) {
- sbNote=req.getContextManager().getNoteId(ContextManager.REQUEST_NOTE,
- BasicAuthHandler.buff);
- }
-
- // we can recycle it because
- // we don't call toString();
- StringBuffer buf=(StringBuffer)req.getNote( sbNote );
- if( buf==null ) {
- buf = new StringBuffer();
- req.setNote( sbNote, buf );
- }
-
-buf.append(htmlheadtitleNot Authorized/title/head);
-buf.append(bodyNot Authorized/body/html);
-
-res.setContentLength(buf.length());
- res.getBuffer().write( buf );
+res.setContentLength(errorMessage.length());
+ res.getBuffer().write( errorMessage );
}
}
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
costin 01/09/09 23:43:02
Modified:src/share/org/apache/tomcat/core ContextManager.java
Request.java
src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
Fix 3441, small enhancement in security constraints handling.
The problem was that ContextManager only checked for user roles to decide if
authorization
is needed.
Now any security-related property will triger the authorize hook ( well, right now
there are
only 2 kinds - transport and user, but it's better to be flexible ). A new field,
securityContext
will hold all the secuirity-related properties for the request and will be set by
AccessInterceptor.
No other changes are needed, except for modules that implement authorize() - they
must
be prepared to deal with situations when only transport constraints are required.
Regarding the transport - we just report an error - we could do a more advanced
operation
like redirect, but that can also be done by users using error directives - or later,
by
a more advanced module.
Revision ChangesPath
1.193 +6 -9
jakarta-tomcat/src/share/org/apache/tomcat/core/ContextManager.java
Index: ContextManager.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/ContextManager.java,v
retrieving revision 1.192
retrieving revision 1.193
diff -u -r1.192 -r1.193
--- ContextManager.java 2001/09/03 02:20:08 1.192
+++ ContextManager.java 2001/09/10 06:43:01 1.193
@@ -887,20 +887,17 @@
return;
}
- String roles[]=req.getRequiredRoles();
- if(roles != null ) {
+ Container sct=req.getSecurityContext();
+ if(sct != null ) {
status=0;
BaseInterceptor reqI[];
- if( req.getContext()==null )
- reqI=getContainer().
- getInterceptors( Container.H_handleError );
- else
- reqI = req.getContext().getContainer().
- getInterceptors(Container.H_authorize);
+ // assert( req.getContext()!=null ) - checked in processRequest
+ reqI = req.getContext().getContainer().
+ getInterceptors(Container.H_authorize);
// Call all authorization callbacks.
for( int i=0; i reqI.length; i++ ) {
- status = reqI[i].authorize( req, res, roles );
+ status = reqI[i].authorize( req, res, sct.getRoles() );
if ( status != BaseInterceptor.DECLINED ) {
break;
}
1.112 +22 -0 jakarta-tomcat/src/share/org/apache/tomcat/core/Request.java
Index: Request.java
===
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Request.java,v
retrieving revision 1.111
retrieving revision 1.112
diff -u -r1.111 -r1.112
--- Request.java 2001/09/01 00:57:16 1.111
+++ Request.java 2001/09/10 06:43:01 1.112
@@ -190,6 +190,9 @@
protected Principal principal;
// active roles for the current user
protected String userRoles[];
+
+// Security properties required by the config ( web.xml constraints )
+protected Container security;
protected String reqRoles[];
// Association with other tomcat comp.
@@ -597,10 +600,28 @@
reqRoles=roles;
}
+/** Return the associated security properties for
+ * the request. This is set up during mapping using the configured
+ * constraints. The container holds various security properties that
+ * are checked using authorize() hook. If no security context is set
+ * the authorize hook will not be called.
+ */
+public Container getSecurityContext() {
+ return security;
+}
+
+public void setSecurityContext( Container ct ) {
+ security=ct;
+}
+
+/** @deprecated use getSecurityContext
+ */
public String[] getRequiredRoles( ) {
return reqRoles;
}
+/** @deprecated use setSecurityContext
+ */
public void setUserRoles( String roles[] ) {
userRoles=roles;
}
@@ -1048,6 +1069,7 @@
notAuthenticated=true;
userRoles=null;
reqRoles=null;
+ security=null;
uriMB.recycle();
unparsedURIMB.recycle();
1.15 +34 -1
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
nacho 01/08/24 16:57:45
Modified:src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
Fix for Bugzilla#2118
Incosistent behaviuor updating OriginalLocation in FormAuthHandler Class
Reported by Juan Jose Muñoz ( jmartine at alhsys.es ), mark.shotton at
micromass.co.uk
Revision ChangesPath
1.14 +15 -12
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- AccessInterceptor.java2001/08/23 14:59:14 1.13
+++ AccessInterceptor.java2001/08/24 23:57:45 1.14
@@ -505,24 +505,13 @@
String username=(String)session.getAttribute( j_username );
if( debug0) log( Username = + username);
- if( username != null ) {
- // 401 with existing j_username - that means wrong credentials.
- // Next time we'll have a fresh start
- session.removeAttribute( j_username);
- session.removeAttribute( j_password);
- req.setAttribute(javax.servlet.error.message,
- errorPage );
- if( debug0) log( Redirecting to + errorPage );
- contextM.handleStatus( req, res, 302 ); // redirect
- return;
- }
String originalLocation = req.requestURI().toString();
if (req.queryString().toString() != null
!req.queryString().toString().equals())
originalLocation += ? + req.queryString().toString();
//XXX is needed to put the JVM route too?
-if (noSession
+if (noSession
|| Request.SESSIONID_FROM_URL.equals(req.getSessionIdSource())) {
// If new session we have no way to know if cookies are supported
String id=;jsessionid=+req.getSessionId() ;
@@ -531,6 +520,20 @@
}
session.setAttribute( tomcat.auth.originalLocation,
originalLocation);
+
+
+ if( username != null ) {
+ // 401 with existing j_username - that means wrong credentials.
+ // Next time we'll have a fresh start
+ session.removeAttribute( j_username);
+ session.removeAttribute( j_password);
+ req.setAttribute(javax.servlet.error.message,
+ errorPage );
+ if( debug0) log( Redirecting to + errorPage );
+ contextM.handleStatus( req, res, 302 ); // redirect
+ return;
+ }
+
if( debug 0 )
log(Redirect1: + page + originalUri= +
originalLocation );
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
costin 01/08/23 07:59:14
Modified:src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
Fix for # 2148.
Thanks [EMAIL PROTECTED] (Mahmoud)
Submitted by: [EMAIL PROTECTED] (Mahmoud)
Revision ChangesPath
1.13 +6 -0
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- AccessInterceptor.java2001/07/15 23:58:32 1.12
+++ AccessInterceptor.java2001/08/23 14:59:14 1.13
@@ -421,6 +421,12 @@
// It's called in a single thread anyway
public synchronized void addContainer(Container ct) {
+ //bug 2148
+ if(patterns=securityPatterns.length) {
+ Container [] newsecurityPatterns = new
Container[MAX_CONSTRAINTS+securityPatterns.length];
+
System.arraycopy(securityPatterns,0,newsecurityPatterns,0,securityPatterns.length);
+ securityPatterns = newsecurityPatterns;
+ }
securityPatterns[ patterns ]= ct;
patterns++;
}
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
costin 01/07/15 16:58:32
Modified:src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
AccessInterceptor will now use case-insensitive match for windows. Better
safe :-)
The main reason is that FileUtil ( which is used right now to do the checks )
is fine as long as someone is calling it - we do call it in StaticInterceptor,
but what if the user defines a servlet to handle static files ?
( there are many other cases where this will help )
Revision ChangesPath
1.12 +40 -7
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- AccessInterceptor.java2001/05/21 04:22:32 1.11
+++ AccessInterceptor.java2001/07/15 23:58:32 1.12
@@ -60,7 +60,7 @@
package org.apache.tomcat.modules.aaa;
import org.apache.tomcat.core.*;
-import org.apache.tomcat.util.buf.MessageBytes;
+import org.apache.tomcat.util.buf.*;
import org.apache.tomcat.util.io.FileUtil;
import org.apache.tomcat.util.http.*;
import java.util.*;
@@ -93,8 +93,19 @@
int reqTransportNote;
public AccessInterceptor() {
+ ignoreCase= (File.separatorChar == '\\');
}
+// Ingore case
+boolean ignoreCase=false;
+
+/** Use case insensitive match, for windows and
+ similar platforms
+*/
+public void setIgnoreCase( boolean b ) {
+ ignoreCase=b;
+}
+
/* Initialization */
/** Set the context manager. To keep it simple we don't support
@@ -258,6 +269,12 @@
if( ctxSec==null || ctxSec.patterns==0 ) return 0; // fast exit
String reqURI = req.requestURI().toString();
+
+ /* We don't need this if we normalize the path
+if( reqURI.indexOf( // ) = 0 )
+return 403;
+ */
+
String path=reqURI.substring( ctxPathLen);
String method=req.method().toString();
@@ -337,7 +354,7 @@
if( ctMethods != null ctMethods.length 0 ) {
boolean ok=false;
for( int i=0; i ctMethods.length; i++ ) {
- if( method.equals( ctMethods[i] ) ) {
+ if( method.equalsIgnoreCase( ctMethods[i] ) ) {
ok=true;
break;
}
@@ -361,15 +378,31 @@
// if more can be matched in the path, include matching the '/'
if( path.length() matchLen )
matchLen++;
- for( int i=0; i matchLen ; i++ ) {
- if( path.charAt( i ) != ctPath.charAt( i ))
- return false;
+ if( ignoreCase ) {
+ for( int i=0; i matchLen ; i++ ) {
+ if( Ascii.toLower(path.charAt( i )) !=
+ Ascii.toLower(ctPath.charAt( i )))
+ return false;
+ }
+ } else {
+ for( int i=0; i matchLen ; i++ ) {
+ if( path.charAt( i ) != ctPath.charAt( i ))
+ return false;
+ }
}
return true;
case Container.EXTENSION_MAP:
- return ctPath.substring( 1 ).equals(FileUtil.getExtension( path ));
+ if( ignoreCase )
+ return ctPath.substring( 1 ).
+ equalsIgnoreCase(FileUtil.getExtension( path ));
+ else
+ return ctPath.substring( 1 ).
+ equals(FileUtil.getExtension( path ));
case Container.PATH_MAP:
- return path.equals( ctPath );
+ if( ignoreCase )
+ return path.equalsIgnoreCase( ctPath );
+ else
+ return path.equals( ctPath );
}
return false;
}
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
nacho 01/03/09 14:54:07
Modified:src/examples/jsp/security/login login.jsp
src/examples/jsp index.html
src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Added: src/examples/jsp/security index.jsp
Log:
Fix for http://nagoya.apache.org/bugzilla/show_bug.cgi?id=539
Added a way to show up the changes throught examples/jsp/security/protected.
Reported by: [EMAIL PROTECTED]
Revision ChangesPath
1.3 +1 -1 jakarta-tomcat/src/examples/jsp/security/login/login.jsp
Index: login.jsp
===
RCS file: /home/cvs/jakarta-tomcat/src/examples/jsp/security/login/login.jsp,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- login.jsp 2000/10/09 02:38:15 1.2
+++ login.jsp 2001/03/09 22:54:06 1.3
@@ -2,7 +2,7 @@
body
h1Login page for examples/h1
-form method="POST" action="j_security_check"
+form method="POST" action='%= response.encodeURL("j_security_check")%'
Username: input type="text" name="j_username"br
Password: input type="password" name="j_password"br
br
1.1 jakarta-tomcat/src/examples/jsp/security/index.jsp
Index: index.jsp
===
html
!--
Copyright (c) 1999 The Apache Software Foundation. All rights
reserved.
--
body bgcolor="white"
html
h1Security Examples/h1
table border=0
trtd
a href='%= response.encodeURL("protected/index.jsp") %'Protected
Directory, browse it with cookies disabled/abr/
/td/tr
trtd
a href='protected/index.jsp'Protected Directory, Use with cookies enabled
browser/a
/td/tr
/table
/html
1.5 +1 -1 jakarta-tomcat/src/examples/jsp/index.html
Index: index.html
===
RCS file: /home/cvs/jakarta-tomcat/src/examples/jsp/index.html,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- index.html2000/10/09 02:40:01 1.4
+++ index.html2001/03/09 22:54:06 1.5
@@ -152,7 +152,7 @@
tr VALIGN=TOP
tdSecuritynbsp;/td
-td VALIGN=TOP WIDTH="30%"a href="security/protected"img
SRC="../images/execute.gif" HSPACE=4 BORDER=0 align=TOP/aa
href="security/protected"Execute/a/td
+td VALIGN=TOP WIDTH="30%"a href="security/"img SRC="../images/execute.gif"
HSPACE=4 BORDER=0 align=TOP/aa href="security/"Execute/a/td
td WIDTH="30%"a href="security/security.html"img SRC="../images/code.gif"
HSPACE=4 BORDER=0 height=24 width=24 align=TOP/aa
href="security/security.html"Source/a/td
/tr
1.8 +11 -4
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- AccessInterceptor.java2001/02/20 03:16:51 1.7
+++ AccessInterceptor.java2001/03/09 22:54:07 1.8
@@ -55,7 +55,7 @@
*
* [Additional notices, if required by prior licensing conditions]
*
- */
+ */
package org.apache.tomcat.modules.aaa;
@@ -459,7 +459,7 @@
ServerSession session=req.getSession( false );
if( session == null ) {
}
-
+
String page=ctx.getFormLoginPage();
String errorPage=ctx.getFormErrorPage();
// assert errorPage!=null ( AccessInterceptor will check
@@ -481,8 +481,15 @@
}
String originalLocation = req.requestURI().toString();
- if (req.queryString().toString() != null)
+ if (req.queryString().toString() != null
+ !req.queryString().toString().equals(""))
originalLocation += "?" + req.queryString().toString();
+//XXX is needed to put the JVM route too?
+if (req.getSessionIdSource().equals(Request.SESSIONID_FROM_URL)){
+String id=";jsessionid="+req.getSessionId() ;
+originalLocation += id ;
+page += id ;
+}
session.setAttribute( "tomcat.auth.originalLocation",
originalLocation);
if( debug 0 )
@@ -502,7 +509,7 @@
This is called after the user POST the form login page.
*/
class FormSecurityCheckHandler extends Handler {
-
+
FormSecurityCheckHandler() {
// setOrigin( Handler.ORIGIN_INTERNAL );
name="tomcat.formSecurityCheck";
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
costin 01/02/05 22:30:58
Modified:src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
Use Parameters in AccessInterceptor.
Revision ChangesPath
1.5 +9 -2
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- AccessInterceptor.java2001/01/29 07:08:45 1.4
+++ AccessInterceptor.java2001/02/06 06:30:58 1.5
@@ -61,6 +61,7 @@
import org.apache.tomcat.core.*;
import org.apache.tomcat.util.*;
+import org.apache.tomcat.util.http.*;
import java.util.*;
import java.io.*;
@@ -511,8 +512,14 @@
public void doService(Request req, Response res)
throws Exception
{
- String username=req.getParameter( "j_username" );
- String password=req.getParameter( "j_password" );
+ // In order to process the form we need to read the POST
+ // body, if any
+ req.handlePostParameters();
+
+ Parameters params=req.parameters();
+
+ String username=params.getParameter( "j_username" );
+ String password=params.getParameter( "j_password" );
Context ctx=req.getContext();
String errorPage=ctx.getFormErrorPage();
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa AccessInterceptor.java
nacho 01/01/09 13:26:08
Modified:src/share/org/apache/tomcat/modules/aaa
AccessInterceptor.java
Log:
A typo ( a cruel one :)
Revision ChangesPath
1.3 +1 -1
jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java
Index: AccessInterceptor.java
===
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/modules/aaa/AccessInterceptor.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- AccessInterceptor.java2001/01/01 02:07:23 1.2
+++ AccessInterceptor.java2001/01/09 21:26:07 1.3
@@ -307,7 +307,7 @@
return DECLINED; // no user roles - can't handle
for( int i=0; i userRoles.length; i ++ ) {
- for( int j=0; j roles.length; i ++ )
+ for( int j=0; j roles.length; j ++ )
if( userRoles[i]!=null userRoles[i].equals( roles[j] ))
return OK; // found the right role
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
