cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
luehe 2005/04/01 13:18:28
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Do not add context path to login and error pages, since we are
comparing them against request.getRequestPathMB().toString(),
which does not include context path.
hasResourcePermission() used to compare login and error pages against
request.getDecodedRequestURI(), which does include context path, but
this was changed in rev 1.49 to compare them against
request.getRequestPathMB().toString(), to be consistent with
findSecurityConstraints().
Revision ChangesPath
1.51 +3 -3
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -r1.50 -r1.51
--- RealmBase.java25 Mar 2005 08:29:34 - 1.50
+++ RealmBase.java1 Apr 2005 21:18:28 - 1.51
@@ -703,13 +703,13 @@
if ((config != null)
(Constants.FORM_METHOD.equals(config.getAuthMethod( {
String requestURI = request.getRequestPathMB().toString();
-String loginPage = context.getPath() + config.getLoginPage();
+String loginPage = config.getLoginPage();
if (loginPage.equals(requestURI)) {
if (log.isDebugEnabled())
log.debug( Allow access to login page + loginPage);
return (true);
}
-String errorPage = context.getPath() + config.getErrorPage();
+String errorPage = config.getErrorPage();
if (errorPage.equals(requestURI)) {
if (log.isDebugEnabled())
log.debug( Allow access to error page + errorPage);
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
luehe 2005/03/02 11:27:11
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Consider the case where original request was mapped to welcome page.
In this case, the mapped welcome page (and not the original request
URI!) needs to be the target of hasResourcePermission().
This is consistent with the change that had been made in
findSecurityConstraints().
BTW, shouldn't request.getDecodedRequestURI() return the mapped
welcome page (instead of the original URI) in this case?
In other words, shouldn't the path passed to
mappingData.requestPath.setString(pathStr)
in Mapper.java be propagated to the request object associatd with the
mappingData?
Revision ChangesPath
1.49 +2 -2
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- RealmBase.java23 Feb 2005 19:27:56 - 1.48
+++ RealmBase.java2 Mar 2005 19:27:11 - 1.49
@@ -702,7 +702,7 @@
LoginConfig config = context.getLoginConfig();
if ((config != null)
(Constants.FORM_METHOD.equals(config.getAuthMethod( {
-String requestURI = request.getDecodedRequestURI();
+String requestURI = request.getRequestPathMB().toString();
String loginPage = context.getPath() + config.getLoginPage();
if (loginPage.equals(requestURI)) {
if (log.isDebugEnabled())
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
[EMAIL PROTECTED] wrote: luehe 2005/03/02 11:27:11 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Consider the case where original request was mapped to welcome page. In this case, the mapped welcome page (and not the original request URI!) needs to be the target of hasResourcePermission(). This is consistent with the change that had been made in findSecurityConstraints(). BTW, shouldn't request.getDecodedRequestURI() return the mapped welcome page (instead of the original URI) in this case? In other words, shouldn't the path passed to mappingData.requestPath.setString(pathStr) in Mapper.java be propagated to the request object associatd with the mappingData? I consider welcome files to be internal forwards (since it is allowed to handle them this way). As a result, they shouldn't be matched by secrurity constraints. Only the original request path should be the used (so here it's getDecodedRequestURI - as sent by the client). Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
- Original Message - From: Remy Maucherat [EMAIL PROTECTED] To: Tomcat Developers List tomcat-dev@jakarta.apache.org Sent: Wednesday, March 02, 2005 11:56 AM Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java [EMAIL PROTECTED] wrote: luehe 2005/03/02 11:27:11 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Consider the case where original request was mapped to welcome page. In this case, the mapped welcome page (and not the original request URI!) needs to be the target of hasResourcePermission(). This is consistent with the change that had been made in findSecurityConstraints(). BTW, shouldn't request.getDecodedRequestURI() return the mapped welcome page (instead of the original URI) in this case? In other words, shouldn't the path passed to mappingData.requestPath.setString(pathStr) in Mapper.java be propagated to the request object associatd with the mappingData? I consider welcome files to be internal forwards (since it is allowed to handle them this way). As a result, they shouldn't be matched by secrurity constraints. Only the original request path should be the used (so here it's getDecodedRequestURI - as sent by the client). I agree with Remy. It's an internal Tomcat implementation detail that welcome-files aren't handled via DefaultServlet doing: RequestDispatcher rd = request.getRequestDispatcher(welcome[i]); rd.forward(request, response); Since this is explicitly allowed by the spec, nobody can expect that a security-constraint mapped only to the welcome-file will be applied. However, this is probably another thing that should be better specified in the 2.5 spec. Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Bill/Remy, Bill Barker wrote: - Original Message - From: Remy Maucherat [EMAIL PROTECTED] To: Tomcat Developers List tomcat-dev@jakarta.apache.org Sent: Wednesday, March 02, 2005 11:56 AM Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java [EMAIL PROTECTED] wrote: luehe 2005/03/02 11:27:11 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Consider the case where original request was mapped to welcome page. In this case, the mapped welcome page (and not the original request URI!) needs to be the target of hasResourcePermission(). This is consistent with the change that had been made in findSecurityConstraints(). BTW, shouldn't request.getDecodedRequestURI() return the mapped welcome page (instead of the original URI) in this case? In other words, shouldn't the path passed to mappingData.requestPath.setString(pathStr) in Mapper.java be propagated to the request object associatd with the mappingData? I consider welcome files to be internal forwards (since it is allowed to handle them this way). As a result, they shouldn't be matched by secrurity constraints. Only the original request path should be the used (so here it's getDecodedRequestURI - as sent by the client). I agree with Remy. It's an internal Tomcat implementation detail that welcome-files aren't handled via DefaultServlet doing: RequestDispatcher rd = request.getRequestDispatcher(welcome[i]); rd.forward(request, response); Since this is explicitly allowed by the spec, nobody can expect that a security-constraint mapped only to the welcome-file will be applied. However, this is probably another thing that should be better specified in the 2.5 spec. But SRV.9.10 (Welcome Files) already has this: The container may send the request to the welcome resource with a forward, a redirect, or a container specific mechanism **that is indistinguishable from a direct request**. The latter to me implies that any sec constraints must be applied to the mapped welcome page (if any). Also, see the attached diffs, in particular: -String uri = request.getDecodedRequestURI(); -String contextPath = hreq.getContextPath(); -if (contextPath.length() 0) -uri = uri.substring(contextPath.length()); +String uri = request.getRequestPathMB().toString(); in findSecurityConstraints(). When accessing host:port:/somecontext/, which has welcome page /somecontext/index.jsp, request.getDecodedRequestURI() returns /somecontext/, whereas request.getRequestPathMB().toString() returns /index.jsp (as set by the mapper), so there already is a precedent in findSecurityConstraints() to match sec constraints against welcome page, which I think makes sense. Otherwise, the following sec constraint: security-constraint web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern*.jsp/url-pattern http-methodPUT/http-method http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nametomcat/role-name /auth-constraint /security-constraint which is supposed to protect all JSP pages, would be bypassed if a request was mapped to index.jsp welcome page. Jan Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Index: RealmBase.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v retrieving revision 1.23 retrieving revision 1.24 diff -u -r1.23 -r1.24 --- RealmBase.java 26 Dec 2003 17:33:44 - 1.23 +++ RealmBase.java 10 Jan 2004 17:23:39 - 1.24 @@ -1,7 +1,7
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Jan Luehe wrote: Bill/Remy, But SRV.9.10 (Welcome Files) already has this: The container may send the request to the welcome resource with a forward, a redirect, or a container specific mechanism **that is indistinguishable from a direct request**. The latter to me implies that any sec constraints must be applied to the mapped welcome page (if any). The plot thickens. Also, see the attached diffs, in particular: -String uri = request.getDecodedRequestURI(); -String contextPath = hreq.getContextPath(); -if (contextPath.length() 0) -uri = uri.substring(contextPath.length()); +String uri = request.getRequestPathMB().toString(); in findSecurityConstraints(). When accessing host:port:/somecontext/, which has welcome page /somecontext/index.jsp, request.getDecodedRequestURI() returns /somecontext/, whereas request.getRequestPathMB().toString() returns /index.jsp (as set by the mapper), so there already is a precedent in findSecurityConstraints() to match sec constraints against welcome page, which I think makes sense. Right. However, when I made that commit, the current mapper behavior may not have been in place already, or maybe it's simply that I thought the two would be equivalent (I was busy optimizing at the time). I don't quite remember ;) Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
- Original Message - From: Jan Luehe [EMAIL PROTECTED] To: Tomcat Developers List tomcat-dev@jakarta.apache.org Sent: Wednesday, March 02, 2005 12:51 PM Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java Bill/Remy, Bill Barker wrote: - Original Message - From: Remy Maucherat [EMAIL PROTECTED] To: Tomcat Developers List tomcat-dev@jakarta.apache.org Sent: Wednesday, March 02, 2005 11:56 AM Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java [EMAIL PROTECTED] wrote: luehe 2005/03/02 11:27:11 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Consider the case where original request was mapped to welcome page. In this case, the mapped welcome page (and not the original request URI!) needs to be the target of hasResourcePermission(). This is consistent with the change that had been made in findSecurityConstraints(). BTW, shouldn't request.getDecodedRequestURI() return the mapped welcome page (instead of the original URI) in this case? In other words, shouldn't the path passed to mappingData.requestPath.setString(pathStr) in Mapper.java be propagated to the request object associatd with the mappingData? I consider welcome files to be internal forwards (since it is allowed to handle them this way). As a result, they shouldn't be matched by secrurity constraints. Only the original request path should be the used (so here it's getDecodedRequestURI - as sent by the client). I agree with Remy. It's an internal Tomcat implementation detail that welcome-files aren't handled via DefaultServlet doing: RequestDispatcher rd = request.getRequestDispatcher(welcome[i]); rd.forward(request, response); Since this is explicitly allowed by the spec, nobody can expect that a security-constraint mapped only to the welcome-file will be applied. However, this is probably another thing that should be better specified in the 2.5 spec. But SRV.9.10 (Welcome Files) already has this: The container may send the request to the welcome resource with a forward, a redirect, or a container specific mechanism **that is indistinguishable from a direct request**. I read the emphasised text as referring to 'container specific mechanism'. Yes, I agree that the last-minute changes that were made to 9.10 made it a total mess, but it still explicitly allows DefaultServlet to do a rd.forward. The latter to me implies that any sec constraints must be applied to the mapped welcome page (if any). Also, see the attached diffs, in particular: Firstly, I'm strongly -1 on the patch, since removing the 'if(found)return' statements causes Tomcat to no longer be spec-complient. Just because the spec is silly doesn't mean that we don't have to implement it. -String uri = request.getDecodedRequestURI(); -String contextPath = hreq.getContextPath(); -if (contextPath.length() 0) -uri = uri.substring(contextPath.length()); +String uri = request.getRequestPathMB().toString(); in findSecurityConstraints(). When accessing host:port:/somecontext/, which has welcome page /somecontext/index.jsp, request.getDecodedRequestURI() returns /somecontext/, whereas request.getRequestPathMB().toString() returns /index.jsp (as set by the mapper), so there already is a precedent in findSecurityConstraints() to match sec constraints against welcome page, which I think makes sense. Servlet 12.8.3 says to use the decoded requestURI, which is defined as contextPath+servletPath+pathInfo. Since servletPath is set to /index.jsp in Tomcat, I guess that requestPathMB is the correct one to use. Otherwise, the following sec constraint: security-constraint web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern*.jsp/url-pattern http-methodPUT/http-method http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-nametomcat/role-name /auth-constraint /security-constraint which is supposed to protect all JSP pages, would be bypassed if a request was mapped to index.jsp welcome page. Jan Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Remy, Remy Maucherat wrote: Jan Luehe wrote: Bill/Remy, But SRV.9.10 (Welcome Files) already has this: The container may send the request to the welcome resource with a forward, a redirect, or a container specific mechanism **that is indistinguishable from a direct request**. The latter to me implies that any sec constraints must be applied to the mapped welcome page (if any). The plot thickens. What do you mean by that? ;-) Do you agree the spec is pretty clear about the fact that any sec constraints must be applied to welcome page? Also, see the attached diffs, in particular: -String uri = request.getDecodedRequestURI(); -String contextPath = hreq.getContextPath(); -if (contextPath.length() 0) -uri = uri.substring(contextPath.length()); +String uri = request.getRequestPathMB().toString(); in findSecurityConstraints(). When accessing host:port:/somecontext/, which has welcome page /somecontext/index.jsp, request.getDecodedRequestURI() returns /somecontext/, whereas request.getRequestPathMB().toString() returns /index.jsp (as set by the mapper), so there already is a precedent in findSecurityConstraints() to match sec constraints against welcome page, which I think makes sense. Right. However, when I made that commit, the current mapper behavior may not have been in place already, or maybe it's simply that I thought the two would be equivalent (I was busy optimizing at the time). I don't quite remember ;) I think you did the right thing without realizing it. :) The change I committed earlier today is just consistent with what you had done. I'm still nervous about request.getDecodedRequestURI() returning the original URI even after the request has been mapped to a welcome page. This violates spec requirement that any container specific mechanism for mapping request to welcome page must be indistinguishable from a direct request. Jan Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Jan Luehe wrote: Remy, Remy Maucherat wrote: Jan Luehe wrote: Bill/Remy, But SRV.9.10 (Welcome Files) already has this: The container may send the request to the welcome resource with a forward, a redirect, or a container specific mechanism **that is indistinguishable from a direct request**. The latter to me implies that any sec constraints must be applied to the mapped welcome page (if any). The plot thickens. What do you mean by that? ;-) Do you agree the spec is pretty clear about the fact that any sec constraints must be applied to welcome page? It means that the statement would seem to be conflicting with other things, but still seems relevant to the topic. So it makes the problem more complex. Right. However, when I made that commit, the current mapper behavior may not have been in place already, or maybe it's simply that I thought the two would be equivalent (I was busy optimizing at the time). I don't quite remember ;) I think you did the right thing without realizing it. :) The change I committed earlier today is just consistent with what you had done. I was out to kiil the substring thing. I'm still nervous about request.getDecodedRequestURI() returning the original URI even after the request has been mapped to a welcome page. This violates spec requirement that any container specific mechanism for mapping request to welcome page must be indistinguishable from a direct request. Changing this is very risky, as it will have uses elsewhere. If using Eclipse, you should use the call hierarchy (since it's an internal method which is never used through reflection). Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Bill, Bill Barker wrote: - Original Message - From: Jan Luehe [EMAIL PROTECTED] To: Tomcat Developers List tomcat-dev@jakarta.apache.org Sent: Wednesday, March 02, 2005 12:51 PM Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java Bill/Remy, Bill Barker wrote: - Original Message - From: Remy Maucherat [EMAIL PROTECTED] To: Tomcat Developers List tomcat-dev@jakarta.apache.org Sent: Wednesday, March 02, 2005 11:56 AM Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java [EMAIL PROTECTED] wrote: luehe 2005/03/02 11:27:11 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Consider the case where original request was mapped to welcome page. In this case, the mapped welcome page (and not the original request URI!) needs to be the target of hasResourcePermission(). This is consistent with the change that had been made in findSecurityConstraints(). BTW, shouldn't request.getDecodedRequestURI() return the mapped welcome page (instead of the original URI) in this case? In other words, shouldn't the path passed to mappingData.requestPath.setString(pathStr) in Mapper.java be propagated to the request object associatd with the mappingData? I consider welcome files to be internal forwards (since it is allowed to handle them this way). As a result, they shouldn't be matched by secrurity constraints. Only the original request path should be the used (so here it's getDecodedRequestURI - as sent by the client). I agree with Remy. It's an internal Tomcat implementation detail that welcome-files aren't handled via DefaultServlet doing: RequestDispatcher rd = request.getRequestDispatcher(welcome[i]); rd.forward(request, response); Since this is explicitly allowed by the spec, nobody can expect that a security-constraint mapped only to the welcome-file will be applied. However, this is probably another thing that should be better specified in the 2.5 spec. But SRV.9.10 (Welcome Files) already has this: The container may send the request to the welcome resource with a forward, a redirect, or a container specific mechanism **that is indistinguishable from a direct request**. I read the emphasised text as referring to 'container specific mechanism'. So do I. indistinguishable from a direct request means that any sec constraints will have to be applied to welcome pages when the request is sent to the welcome page via container specific mechanism (as in Tomcat). Yes, I agree that the last-minute changes that were made to 9.10 made it a total mess, but it still explicitly allows DefaultServlet to do a rd.forward. Yes, in which case the welcome page that is the target of the rd.forward() will not be subjected to any sec constraints. So the spec is inconsistent as to whether sec constraints need to be applied to welcome pages. This means that web developers should always use a pattern of this form: url-pattern/*/url-pattern in their DD's security constraints if they want their welcome pages to be subjected to the specified sec constraints no matter which container their webapp is deployed on. If they specify: url-pattern*.jsp/url-pattern their index.jsp welcome page will not be subjected to any sec constraints in containers that send the request to the welcome page using rd.forward(). The latter to me implies that any sec constraints must be applied to the mapped welcome page (if any). Also, see the attached diffs, in particular: Firstly, I'm strongly -1 on the patch, since removing the 'if(found)return' statements causes Tomcat to no longer be spec-complient. Just because the spec is silly doesn't mean that we don't have to implement it. The patch I attached has been 1 year old. My main purpose in attaching it was to draw attention to this change in rev 1.24: -String uri = request.getDecodedRequestURI(); -String contextPath = hreq.getContextPath(); -if (contextPath.length() 0) -uri = uri.substring(contextPath.length()); +String uri = request.getRequestPathMB().toString(); in findSecurityConstraints(). Remy had restored the 'if(found)return' in rev 1.25: revision 1.25 date: 2004/01/11 09:23:42; author: remm; state: Exp; lines: +11 -11 - Ooops. Put back the if(found) blocks. revision 1.24 date: 2004/01/10 17:23:39; author: remm; state: Exp; lines: +16 -11 - findMethod wasn't called on the right collection. - The algorithm ignored extension mapped constraints as long as a widcard or exact mapped constraint was found. This doesn't seem right (I did quickly read the relevant portions of the spec). - Next, I'll try to optimize the algorithm (allocating a collection on each request is not good, we should add a matched contraints array on the request). When accessing host:port:/somecontext
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
pero2005/01/06 12:15:23
Modified:catalina/src/share/org/apache/catalina/realm Tag: TOMCAT_5_0
RealmBase.java
Log:
Hups a strange typo..
Revision ChangesPath
No revision
No revision
1.33.2.4 +2 -2
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.33.2.3
retrieving revision 1.33.2.4
diff -u -r1.33.2.3 -r1.33.2.4
--- RealmBase.java9 Dec 2004 13:52:59 - 1.33.2.3
+++ RealmBase.java6 Jan 2005 20:15:23 - 1.33.2.4
@@ -1094,7 +1094,7 @@
byte[] digest = null;
// Bugzilla 32137
-synchornized(md5Helper) {
+synchronized(md5Helper) {
digest = md5Helper.digest(valueBytes);
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
markt 2004/10/25 11:31:57
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Enable digested credentials to be used with DIGEST authentication
- The credentials must be the MD5 digest of
username:realmname:password
Note: The digests that must be stored for DIGEST authentication are different
to those that must be stored for BASIC or FORM authentication . This
isn't perfect but is better than the current situation where DIGEST just
can't be used with digested credentials.
Revision ChangesPath
1.41 +7 -1
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- RealmBase.java5 Oct 2004 17:12:52 - 1.40
+++ RealmBase.java25 Oct 2004 18:31:57 - 1.41
@@ -1025,6 +1025,12 @@
throw new IllegalStateException();
}
}
+
+ if (hasMessageDigest()) {
+ // Use pre-generated digest
+ return getPassword(username);
+ }
+
String digestValue = username + : + realmName + :
+ getPassword(username);
byte[] digest =
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
remm2004/10/05 00:54:07
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
- Refactor the commented out sys outs as a debug logging statement.
Revision ChangesPath
1.39 +9 -18
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- RealmBase.java3 Oct 2004 08:53:56 - 1.38
+++ RealmBase.java5 Oct 2004 07:54:07 - 1.39
@@ -310,21 +310,6 @@
String qop, String realm,
String md5a2) {
-/*
- System.out.println(Digest : + clientDigest);
-
- System.out.println( Digest info);
- System.out.println(Username: + username);
- System.out.println(ClientSigest: + clientDigest);
- System.out.println(nOnce: + nOnce);
- System.out.println(nc: + nc);
- System.out.println(cnonce: + cnonce);
- System.out.println(qop: + qop);
- System.out.println(realm: + realm);
- System.out.println(md5a2: + md5a2);
-*/
-
-
String md5a1 = getDigest(username, realm);
if (md5a1 == null)
return null;
@@ -332,8 +317,14 @@
+ cnonce + : + qop + : + md5a2;
String serverDigest =
md5Encoder.encode(md5Helper.digest(serverDigestValue.getBytes()));
-//System.out.println(Server digest : + serverDigest);
-
+if (log.isDebugEnabled()) {
+log.debug(Digest : + clientDigest + Username: + username
++ ClientSigest: + clientDigest + nOnce: + nOnce
++ nc: + nc + cnonce: + cnonce + qop: + qop
++ realm: + realm + md5a2: + md5a2
++ Server digest: + serverDigest);
+}
+
if (serverDigest.equals(clientDigest))
return getPrincipal(username);
else
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
yoavs 2004/08/30 13:31:42
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Better null checking in RealmBase#findSecurityConstraints: see Bugzlla 30624.
Revision ChangesPath
1.37 +65 -5
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- RealmBase.java3 Jul 2004 04:16:41 - 1.36
+++ RealmBase.java30 Aug 2004 20:31:42 - 1.37
@@ -404,12 +404,27 @@
for (i = 0; i constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
-if (log.isDebugEnabled())
+// If collection is null, continue to avoid an NPE
+// See Bugzilla 30624
+if ( collection == null) {
+ continue;
+}
+
+if (log.isDebugEnabled()) {
log.debug( Checking constraint ' + constraints[i] +
' against + method + + uri + -- +
constraints[i].included(uri, method));
+ }
+
for(int j=0; j collection.length; j++){
String [] patterns = collection[j].findPatterns();
+
+// If patterns is null, continue to avoid an NPE
+// See Bugzilla 30624
+if ( patterns == null) {
+ continue;
+}
+
for(int k=0; k patterns.length; k++) {
if(uri.equals(patterns[k])) {
found = true;
@@ -433,12 +448,27 @@
for (i = 0; i constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
-if (log.isDebugEnabled())
+// If collection is null, continue to avoid an NPE
+// See Bugzilla 30624
+if ( collection == null) {
+ continue;
+}
+
+if (log.isDebugEnabled()) {
log.debug( Checking constraint ' + constraints[i] +
' against + method + + uri + -- +
constraints[i].included(uri, method));
+ }
+
for(int j=0; j collection.length; j++){
String [] patterns = collection[j].findPatterns();
+
+// If patterns is null, continue to avoid an NPE
+// See Bugzilla 30624
+if ( patterns == null) {
+ continue;
+}
+
boolean matched = false;
int length = -1;
for(int k=0; k patterns.length; k++) {
@@ -483,15 +513,30 @@
for (i = 0; i constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
+
+// If collection is null, continue to avoid an NPE
+// See Bugzilla 30624
+if ( collection == null) {
+ continue;
+}
-if (log.isDebugEnabled())
+if (log.isDebugEnabled()) {
log.debug( Checking constraint ' + constraints[i] +
' against + method + + uri + -- +
constraints[i].included(uri, method));
+ }
+
boolean matched = false;
int pos = -1;
for(int j=0; j collection.length; j++){
String [] patterns = collection[j].findPatterns();
+
+// If patterns is null, continue to avoid an NPE
+// See Bugzilla 30624
+if ( patterns == null) {
+ continue;
+}
+
for(int k=0; k patterns.length !matched; k++) {
String pattern = patterns[k];
if(pattern.startsWith(*.)){
@@ -526,12 +571,27 @@
for (i = 0; i constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
-if (log.isDebugEnabled())
+// If collection is null, continue to avoid an NPE
+// See Bugzilla 30624
+if ( collection == null) {
+ continue;
+}
+
+if (log.isDebugEnabled()) {
log.debug( Checking constraint ' + constraints[i] +
' against + method + + uri + -- +
constraints[i].included(uri, method));
+ }
+
for(int j=0;
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
yoavs 2004/05/26 08:51:25 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Minor JavaDoc fixes (Bugzilla 28335) Revision ChangesPath 1.33 +4 -4 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java Index: RealmBase.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v retrieving revision 1.32 retrieving revision 1.33 diff -u -r1.32 -r1.33 --- RealmBase.java19 Apr 2004 23:13:08 - 1.32 +++ RealmBase.java26 May 2004 15:51:25 - 1.33 @@ -590,8 +590,8 @@ * * @param request Request we are processing * @param response Response we are creating - * @param constraint Security constraint we are enforcing - * @param The Context to which client of this class is attached. + * @param constraints Security constraint we are enforcing + * @param context The Context to which client of this class is attached. * * @exception IOException if an input/output error occurs */ @@ -724,7 +724,7 @@ * * @param request Request we are processing * @param response Response we are creating - * @param constraint Security constraint being checked + * @param constraints Security constraint being checked * * @exception IOException if an input/output error occurs */ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
luehe 2004/04/19 13:42:01
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Exempt welcome pages from any security-constraint checks.
The Servlet 2.4 spec does not require this (and there are no CTS tests
for this), but it seems like a reasonable enhancement. I was told that
the upcoming maintenance release of the Servlet spec is going to
clarify this.
If this change is controversial, I'll back it out for the time being,
until it is backed by the Servlet spec. Please let me know.
Revision ChangesPath
1.31 +28 -3
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- RealmBase.java27 Feb 2004 14:58:45 - 1.30
+++ RealmBase.java19 Apr 2004 20:42:01 - 1.31
@@ -411,7 +411,12 @@
// Check each defined security constraint
HttpServletRequest hreq = (HttpServletRequest) request.getRequest();
String uri = request.getRequestPathMB().toString();
-
+
+// Welcome files are exempted from any security-constraint checks
+if (isWelcomeFile(uri, context)) {
+return null;
+}
+
String method = hreq.getMethod();
int i;
boolean found = false;
@@ -582,7 +587,27 @@
return array;
}
-
+
+/*
+ * Returns true of the given tturi/tt identifies a welcome file.
+ *
+ * @param uri The URI to check against the context's list of welcome files
+ * @param ctx The web context
+ *
+ * @return true if the given tturi/tt identifies a welcome file,
+ * false otherwise
+ */
+private boolean isWelcomeFile(String uri, Context ctx) {
+
+int slash = uri.indexOf('/');
+if (slash == 0 uri.length() 1) {
+return ctx.findWelcomeFile(uri.substring(1));
+} else {
+return false;
+}
+}
+
+
/**
* Perform access control based on the specified authorization constraint.
* Return codetrue/code if this constraint is satisfied and processing
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
[EMAIL PROTECTED] wrote: luehe 2004/04/19 13:42:01 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Exempt welcome pages from any security-constraint checks. The Servlet 2.4 spec does not require this (and there are no CTS tests for this), but it seems like a reasonable enhancement. I was told that the upcoming maintenance release of the Servlet spec is going to clarify this. If this change is controversial, I'll back it out for the time being, until it is backed by the Servlet spec. Please let me know. -1. This is very inefficient. I also happen don't dislike the current behavior ;) Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
luehe 2004/04/19 16:13:08
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Reverted previous patch
Revision ChangesPath
1.32 +2 -27
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- RealmBase.java19 Apr 2004 20:42:01 - 1.31
+++ RealmBase.java19 Apr 2004 23:13:08 - 1.32
@@ -411,12 +411,7 @@
// Check each defined security constraint
HttpServletRequest hreq = (HttpServletRequest) request.getRequest();
String uri = request.getRequestPathMB().toString();
-
-// Welcome files are exempted from any security-constraint checks
-if (isWelcomeFile(uri, context)) {
-return null;
-}
-
+
String method = hreq.getMethod();
int i;
boolean found = false;
@@ -587,27 +582,7 @@
return array;
}
-
-/*
- * Returns true of the given tturi/tt identifies a welcome file.
- *
- * @param uri The URI to check against the context's list of welcome files
- * @param ctx The web context
- *
- * @return true if the given tturi/tt identifies a welcome file,
- * false otherwise
- */
-private boolean isWelcomeFile(String uri, Context ctx) {
-
-int slash = uri.indexOf('/');
-if (slash == 0 uri.length() 1) {
-return ctx.findWelcomeFile(uri.substring(1));
-} else {
-return false;
-}
-}
-
-
+
/**
* Perform access control based on the specified authorization constraint.
* Return codetrue/code if this constraint is satisfied and processing
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 1:42 PM Subject: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java luehe 2004/04/19 13:42:01 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Exempt welcome pages from any security-constraint checks. The Servlet 2.4 spec does not require this (and there are no CTS tests for this), but it seems like a reasonable enhancement. I was told that the upcoming maintenance release of the Servlet spec is going to clarify this. If this change is controversial, I'll back it out for the time being, until it is backed by the Servlet spec. Please let me know. I second Remy's -1. The patch only exempts only the top level welcome file (e.g. /myapp/index.jsp), and so is meaningful mostly in the case where you have a security constraint mapped to '/*'. In this case, you can easily add a security-constraint with an exact pattern '/index.jsp' if you need the functionality. Also, if the welcome file includes links to images or stylesheets, then it is likely that you will have to setup even more complex security-constraints to allow it to display. If the spec eventually mandates it, then we'll have to do it. Until then it breaks more things than it fixes, IMHO. This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
[EMAIL PROTECTED] wrote:
billbarker2004/02/06 21:54:32
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Went back and re-read the spec.
A url-pattern of /protected/* must match a request for /protected. Hence a special case for this one.
Revision ChangesPath
1.29 +8 -5 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- RealmBase.java 7 Feb 2004 05:24:08 - 1.28
+++ RealmBase.java 7 Feb 2004 05:54:32 - 1.29
@@ -511,7 +511,10 @@
matched = true;
length = pattern.length();
} else if(pattern.regionMatches(0,uri,0,
-pattern.length()-1)) {
+pattern.length()-1) ||
+ (pattern.length()-2 == uri.length()
+ pattern.regionMatches(0,uri,0,
+pattern.length()-2))) {
matched = true;
length = pattern.length();
}
The algortihm from ApplicationFilterFactory is:
// Case 2 - Path Match (/.../*)
if (testPath.equals(/*))
return (true);
if (testPath.endsWith(/*)) {
if (testPath.regionMatches(0, requestPath, 0,
testPath.length() - 2)) {
if (requestPath.length() == (testPath.length() - 2)) {
return (true);
} else if ('/' == requestPath.charAt(testPath.length()
- 2)) {
return (true);
}
}
return (false);
}
I believe these two should be equivalent now, which is good, but for
clarity we should (IMO) use the same. Mine would be less efficient
possibly but is probably easier to understand. Obviously, as long as it
works, we're fine :)
Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
billbarker2004/02/06 21:24:08
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Fix stupid off-by-one bug.
Before, a url-pattern of /s/* would match /simon/rant.html
Reported by: Yann Cebron [EMAIL PROTECTED]
Revision ChangesPath
1.28 +5 -5
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- RealmBase.java26 Jan 2004 20:19:11 - 1.27
+++ RealmBase.java7 Feb 2004 05:24:08 - 1.28
@@ -511,7 +511,7 @@
matched = true;
length = pattern.length();
} else if(pattern.regionMatches(0,uri,0,
-pattern.length()-2)) {
+pattern.length()-1)) {
matched = true;
length = pattern.length();
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
billbarker2004/02/06 21:54:32
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Went back and re-read the spec.
A url-pattern of /protected/* must match a request for /protected. Hence a special
case for this one.
Revision ChangesPath
1.29 +8 -5
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- RealmBase.java7 Feb 2004 05:24:08 - 1.28
+++ RealmBase.java7 Feb 2004 05:54:32 - 1.29
@@ -511,7 +511,10 @@
matched = true;
length = pattern.length();
} else if(pattern.regionMatches(0,uri,0,
-pattern.length()-1)) {
+pattern.length()-1) ||
+ (pattern.length()-2 == uri.length()
+ pattern.regionMatches(0,uri,0,
+pattern.length()-2))) {
matched = true;
length = pattern.length();
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
luehe 2004/01/21 10:46:19 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Fix for Bugtraq 4932547: Replaced SC_INTERNAL_SERVER_ERROR with SC_FORBIDDEN if anonymous access (caused by missing login-config/auth-method in web.xml) is not allowed Revision ChangesPath 1.26 +5 -5 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java Index: RealmBase.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v retrieving revision 1.25 retrieving revision 1.26 diff -u -r1.25 -r1.26 --- RealmBase.java11 Jan 2004 09:23:42 - 1.25 +++ RealmBase.java21 Jan 2004 18:46:19 - 1.26 @@ -703,7 +703,7 @@ if (log.isDebugEnabled()) log.debug( No user authenticated, cannot grant access); ((HttpServletResponse) response.getResponse()).sendError -(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, +(HttpServletResponse.SC_FORBIDDEN, sm.getString(realmBase.notAuthenticated)); return (false); } - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Bill Barker wrote: remm2004/01/10 09:23:39 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: - findMethod wasn't called on the right collection. - The algorithm ignored extension mapped constraints as long as a widcard or exact mapped constraint was found. This doesn't seem right (I did quickly read the relevant portions of the spec). -1. This is exactly what the spec says should happen. Just because it is silly doesn't change the fact it is what we have to implement. Go read section 12.8.3 again. Ah ok. So the container provided authentication is really useless after all. I didn't understand it that way. Are there situations where more than one constraint is returned ? Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
remm2004/01/11 01:23:42
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
- Ooops. Put back the if(found) blocks.
Revision ChangesPath
1.25 +11 -11
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- RealmBase.java10 Jan 2004 17:23:39 - 1.24
+++ RealmBase.java11 Jan 2004 09:23:42 - 1.25
@@ -484,11 +484,11 @@
}
}
}
-/*
+
if(found) {
return resultsToArray(results);
}
-*/
+
int longest = -1;
for (i = 0; i constraints.length; i++) {
@@ -534,11 +534,11 @@
}
}
}
-/*
+
if(found) {
return resultsToArray(results);
}
-*/
+
for (i = 0; i constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
@@ -576,11 +576,11 @@
}
}
}
-/*
+
if(found) {
return resultsToArray(results);
}
-*/
+
for (i = 0; i constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
@@ -605,7 +605,7 @@
}
}
}
-
+
if(results == null) {
// No applicable security constraint was found
if (log.isDebugEnabled())
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
[EMAIL PROTECTED] wrote:
remm2004/01/11 01:23:42
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
- Ooops. Put back the if(found) blocks.
I left in some of my changes:
@@ -457,10 +457,7 @@
// Check each defined security constraint
HttpServletRequest hreq = (HttpServletRequest)
request.getRequest();
-String uri = request.getDecodedRequestURI();
-String contextPath = hreq.getContextPath();
-if (contextPath.length() 0)
-uri = uri.substring(contextPath.length());
+String uri = request.getRequestPathMB().toString();
In many cases, the mapper has the String already, so this often saves
one String (and I really don't like substring anyway).
@@ -546,6 +547,7 @@
' against + method + + uri + -- +
constraints[i].included(uri, method));
boolean matched = false;
+int pos = -1;
for(int j=0; j collection.length; j++){
String [] patterns = collection[j].findPatterns();
for(int k=0; k patterns.length !matched; k++) {
@@ -558,6 +560,7 @@
uri.length()-dot == pattern.length()-1) {
if(pattern.regionMatches(1,uri,dot,uri.length()-dot)) {
matched = true;
+pos = j;
}
}
}
@@ -565,17 +568,19 @@
}
if(matched) {
found = true;
-if(collection[i].findMethod(method)) {
+if(collection[pos].findMethod(method)) {
if(results == null) {
results = new ArrayList();
-}
+}
results.add(constraints[i]);
}
}
}
i was an index in the constraints array, so this should be a genuine bug.
Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
- Original Message -
From: Remy Maucherat [EMAIL PROTECTED]
To: Tomcat Developers List [EMAIL PROTECTED]
Sent: Sunday, January 11, 2004 1:27 AM
Subject: Re: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm
RealmBase.java
[EMAIL PROTECTED] wrote:
remm2004/01/11 01:23:42
Modified:catalina/src/share/org/apache/catalina/realm
RealmBase.java
Log:
- Ooops. Put back the if(found) blocks.
I left in some of my changes:
@@ -457,10 +457,7 @@
// Check each defined security constraint
HttpServletRequest hreq = (HttpServletRequest)
request.getRequest();
-String uri = request.getDecodedRequestURI();
-String contextPath = hreq.getContextPath();
-if (contextPath.length() 0)
-uri = uri.substring(contextPath.length());
+String uri = request.getRequestPathMB().toString();
In many cases, the mapper has the String already, so this often saves
one String (and I really don't like substring anyway).
This was older code that pre-dates the j-t-c Mapper. +1 for this one.
@@ -546,6 +547,7 @@
' against + method + + uri + -- +
constraints[i].included(uri, method));
boolean matched = false;
+int pos = -1;
for(int j=0; j collection.length; j++){
String [] patterns = collection[j].findPatterns();
for(int k=0; k patterns.length !matched; k++) {
@@ -558,6 +560,7 @@
uri.length()-dot == pattern.length()-1) {
if(pattern.regionMatches(1,uri,dot,uri.length()-dot)) {
matched = true;
+pos = j;
}
}
}
@@ -565,17 +568,19 @@
}
if(matched) {
found = true;
-if(collection[i].findMethod(method)) {
+if(collection[pos].findMethod(method)) {
if(results == null) {
results = new ArrayList();
-}
+}
results.add(constraints[i]);
}
}
}
i was an index in the constraints array, so this should be a genuine bug.
This was a cut-and-paste bug. Also +1.
Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This message is intended only for the use of the person(s) listed above as the
intended recipient(s), and may contain information that is PRIVILEGED and
CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or
distribute this message or any attachment. If you received this communication in
error, please notify us immediately by e-mail and then delete all copies of this
message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through the
Internet is not secure. Do not send confidential or sensitive information, such as
social security numbers, account numbers, personal identification numbers and
passwords, to us via ordinary (unencrypted) e-mail.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
- Original Message - From: Remy Maucherat [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED] Sent: Sunday, January 11, 2004 1:18 AM Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java Bill Barker wrote: remm2004/01/10 09:23:39 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: - findMethod wasn't called on the right collection. - The algorithm ignored extension mapped constraints as long as a widcard or exact mapped constraint was found. This doesn't seem right (I did quickly read the relevant portions of the spec). -1. This is exactly what the spec says should happen. Just because it is silly doesn't change the fact it is what we have to implement. Go read section 12.8.3 again. Ah ok. So the container provided authentication is really useless after all. I didn't understand it that way. It's the only way that you can use the Combinining Constraints (section 12.8.1) at all, since that says to use the least restrictive constraint. Are there situations where more than one constraint is returned ? Not very often, but it is possible. The example in 12.8.2 would be one such case. Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
remm2004/01/10 09:23:39
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
- findMethod wasn't called on the right collection.
- The algorithm ignored extension mapped constraints as long as a widcard
or exact mapped constraint was found. This doesn't seem right (I did quickly
read the relevant portions of the spec).
- Next, I'll try to optimize the algorithm (allocating a collection on each request
is not good, we should add a matched contraints array on the request).
Revision ChangesPath
1.24 +16 -11
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- RealmBase.java26 Dec 2003 17:33:44 - 1.23
+++ RealmBase.java10 Jan 2004 17:23:39 - 1.24
@@ -457,10 +457,7 @@
// Check each defined security constraint
HttpServletRequest hreq = (HttpServletRequest) request.getRequest();
-String uri = request.getDecodedRequestURI();
-String contextPath = hreq.getContextPath();
-if (contextPath.length() 0)
-uri = uri.substring(contextPath.length());
+String uri = request.getRequestPathMB().toString();
String method = hreq.getMethod();
int i;
@@ -486,10 +483,12 @@
}
}
}
-}
+}
+/*
if(found) {
return resultsToArray(results);
}
+*/
int longest = -1;
for (i = 0; i constraints.length; i++) {
@@ -535,9 +534,11 @@
}
}
}
+/*
if(found) {
return resultsToArray(results);
}
+*/
for (i = 0; i constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
@@ -546,6 +547,7 @@
' against + method + + uri + -- +
constraints[i].included(uri, method));
boolean matched = false;
+int pos = -1;
for(int j=0; j collection.length; j++){
String [] patterns = collection[j].findPatterns();
for(int k=0; k patterns.length !matched; k++) {
@@ -558,6 +560,7 @@
uri.length()-dot == pattern.length()-1) {
if(pattern.regionMatches(1,uri,dot,uri.length()-dot)) {
matched = true;
+pos = j;
}
}
}
@@ -565,17 +568,19 @@
}
if(matched) {
found = true;
-if(collection[i].findMethod(method)) {
+if(collection[pos].findMethod(method)) {
if(results == null) {
results = new ArrayList();
-}
+}
results.add(constraints[i]);
}
}
}
+/*
if(found) {
return resultsToArray(results);
}
+*/
for (i = 0; i constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, January 10, 2004 9:23 AM Subject: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java remm2004/01/10 09:23:39 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: - findMethod wasn't called on the right collection. - The algorithm ignored extension mapped constraints as long as a widcard or exact mapped constraint was found. This doesn't seem right (I did quickly read the relevant portions of the spec). -1. This is exactly what the spec says should happen. Just because it is silly doesn't change the fact it is what we have to implement. Go read section 12.8.3 again. - Next, I'll try to optimize the algorithm (allocating a collection on each request is not good, we should add a matched contraints array on the request). This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
remm2003/12/26 09:33:44
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
- Fix nasty cut paste bug in the algorithm.
- I found this because there was no longer any challenge on many URLs
when accessing the manager webapp.
Revision ChangesPath
1.23 +7 -7
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- RealmBase.java12 Dec 2003 06:24:36 - 1.22
+++ RealmBase.java26 Dec 2003 17:33:44 - 1.23
@@ -504,7 +504,7 @@
boolean matched = false;
int length = -1;
for(int k=0; k patterns.length; k++) {
-String pattern = patterns[j];
+String pattern = patterns[k];
if(pattern.startsWith(/) pattern.endsWith(/*)
pattern.length() = longest) {
@@ -549,7 +549,7 @@
for(int j=0; j collection.length; j++){
String [] patterns = collection[j].findPatterns();
for(int k=0; k patterns.length !matched; k++) {
-String pattern = patterns[j];
+String pattern = patterns[k];
if(pattern.startsWith(*.)){
int slash = uri.lastIndexOf(/);
int dot = uri.lastIndexOf(.);
@@ -587,7 +587,7 @@
String [] patterns = collection[j].findPatterns();
boolean matched = false;
for(int k=0; k patterns.length !matched; k++) {
-String pattern = patterns[j];
+String pattern = patterns[k];
if(pattern.equals(/)){
matched = true;
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
N.B. The Filter mapping code looks broken to me. It looks like if I have a mapping for a url-pattern '*.jsp' that has dispatcherINCLUDE/dispatcher, then it will incorrectly match a jsp:include page=header.jspf /. However, I haven't actually tested it. :). Bill Barker [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] - Original Message - From: Remy Maucherat [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED] Sent: Thursday, December 11, 2003 1:40 AM Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java [EMAIL PROTECTED] wrote: billbarker2003/12/10 21:50:39 Modified:catalina/src/share/org/apache/catalina Realm.java catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java catalina/src/share/org/apache/catalina/realm RealmBase.java Log: First attempt to get Tomcat compliant with the Servlet 2.4 Spec for AA. This one isn't very efficient (but not much worse than it was before :). Longer term, I'm looking to modify the j-t-c mapper to be able to return a Collection of mapped objects, and use that. In that case it could also be used for Filter mappings. Filter mapping is simple, and should be efficient enough right now. It was really horrible in 4.1.x (except if somehow all filters are mapped to /* or the exact path :-D), and is obviously used a lot more in 5.0.x, so I did fix it. I was planning to use something fancy when I noticed the requirements for this algorithm: - we have try all the mappings in order, which voids any possible optimization - I think we only have a String at our disposal for filter mapping: getting a char array would remove any performance benefit - we don't have to generate any paths or similar stuff from the mapping results - there was this regionMatches method in String that could do that matching test efficiently And the profiler seems happy :) Maybe it's lying though. For the contraint mapping, since we also have to test them all and return yes/no for each, I recommend using a similar custom algorithm. I see your point on char array. I'll probably leave it as Strings. I'll also look at the Filter mapping code. However, the entire point of the exercise is that we *don't* have to test all of the security-constraints. If I have a security-constriaint with a url-pattern/protected/*/url-pattern, and another one with url-pattern*.jsp/url-pattern, then for a request to /myapp/protected/index.jsp, only the first constraint is checked. If you don't believe me, read 12.8.3 ;-). This version is just to get a Spec compliant version out there that can be tested. Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Bill Barker wrote: N.B. The Filter mapping code looks broken to me. It looks like if I have a mapping for a url-pattern '*.jsp' that has dispatcherINCLUDE/dispatcher, then it will incorrectly match a jsp:include page=header.jspf /. However, I haven't actually tested it. :). I think there's an extra check for that case (this problem existed previously). I'll check. Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Remy Maucherat wrote:
Bill Barker wrote:
N.B. The Filter mapping code looks broken to me. It looks like if I
have a
mapping for a url-pattern '*.jsp' that has
dispatcherINCLUDE/dispatcher,
then it will incorrectly match a jsp:include page=header.jspf /.
However, I haven't actually tested it. :).
I think there's an extra check for that case (this problem existed
previously). I'll check.
I confirm that revision 1.10 of the filter factory fixed this.
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationFilterFactory.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -r1.9 -r1.10
292c292,294
(period != requestPath.length() - 1)) {
---
(period != requestPath.length() - 1)
((requestPath.length() - period)
== (testPath.length() - 1))) {
So it compares the two extensions length, and was bug 22546.
Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
- Original Message -
From: Remy Maucherat [EMAIL PROTECTED]
To: Tomcat Developers List [EMAIL PROTECTED]
Sent: Thursday, December 11, 2003 11:55 PM
Subject: Re: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm
RealmBase.java
Remy Maucherat wrote:
Bill Barker wrote:
N.B. The Filter mapping code looks broken to me. It looks like if I
have a
mapping for a url-pattern '*.jsp' that has
dispatcherINCLUDE/dispatcher,
then it will incorrectly match a jsp:include page=header.jspf /.
However, I haven't actually tested it. :).
I think there's an extra check for that case (this problem existed
previously). I'll check.
I confirm that revision 1.10 of the filter factory fixed this.
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/cor
e/ApplicationFilterFactory.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -r1.9 -r1.10
292c292,294
(period != requestPath.length() - 1)) {
---
(period != requestPath.length() - 1)
((requestPath.length() - period)
== (testPath.length() - 1))) {
So it compares the two extensions length, and was bug 22546.
So it does. Apologies for misreading the code (and wasting your time). And
it seems that through the magic of cut-and-paste, I've got the exact same
logic in the current security-constraint code ;).
Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This message is intended only for the use of the person(s) listed above as the
intended recipient(s), and may contain information that is PRIVILEGED and
CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or
distribute this message or any attachment. If you received this communication in
error, please notify us immediately by e-mail and then delete all copies of this
message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through the
Internet is not secure. Do not send confidential or sensitive information, such as
social security numbers, account numbers, personal identification numbers and
passwords, to us via ordinary (unencrypted) e-mail.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
[EMAIL PROTECTED] wrote: billbarker2003/12/10 21:50:39 Modified:catalina/src/share/org/apache/catalina Realm.java catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java catalina/src/share/org/apache/catalina/realm RealmBase.java Log: First attempt to get Tomcat compliant with the Servlet 2.4 Spec for AA. This one isn't very efficient (but not much worse than it was before :). Longer term, I'm looking to modify the j-t-c mapper to be able to return a Collection of mapped objects, and use that. In that case it could also be used for Filter mappings. Filter mapping is simple, and should be efficient enough right now. It was really horrible in 4.1.x (except if somehow all filters are mapped to /* or the exact path :-D), and is obviously used a lot more in 5.0.x, so I did fix it. I was planning to use something fancy when I noticed the requirements for this algorithm: - we have try all the mappings in order, which voids any possible optimization - I think we only have a String at our disposal for filter mapping: getting a char array would remove any performance benefit - we don't have to generate any paths or similar stuff from the mapping results - there was this regionMatches method in String that could do that matching test efficiently And the profiler seems happy :) Maybe it's lying though. For the contraint mapping, since we also have to test them all and return yes/no for each, I recommend using a similar custom algorithm. This version is just to get a Spec compliant version out there that can be tested. Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Hi,
I've been refactoring the piece of code I sent last time, and I've got that
now :
- the following method just replaces the
findSecurityConstraints(HttpRequest request, Context context) method in
RealmBase
- there is this static Map cache which caches the fake Constraints
mapped to (URI, http-method) couples to add
- lastly, the matchPattern(String path, String pattern) must be made
public.
It works OK for me, hope it helps
Philippe Leothaud
private static Map cache = new HashMap();
private final static String NULL_CONSTRAINT = ;
/**
* Retrieve from cache or build and return a custom
codeSecurityConstraint/code merging all valid
* codeSecurityConstraint/codes for the given method and URI, or
codenull/code
* if there is no such codeSecurityConstraint/code
*
* @param allConstraints : all the codeSecurityConstraint/codes defined
in codeweb.xml/code
* @param req: the request of the User
*
* @return : the custom
codeSecurityConstraint/code, wrapped in an array of
* codeSecurityConstraint/codes
(to not break AuthenticatorBase and RealmBase API)
*/
public SecurityConstraint[] findSecurityConstraints(HttpRequest request,
Context context) {
// Get allConstraints Context
SecurityConstraint allConstraints[] = context.findConstraints();
if ((allConstraints == null) || (allConstraints.length == 0)) {
if (log.isDebugEnabled())
log.debug( No applicable constraints defined);
return (null);
}
// Get URI and method from request
HttpServletRequest hreq = (HttpServletRequest) request.getRequest();
String requestURI = request.getDecodedRequestURI();
String contextPath = hreq.getContextPath();
if (contextPath.length() 0)
requestURI = requestURI.substring(contextPath.length());
String method = hreq.getMethod();
if ((allConstraints == null) || (allConstraints.length == 0)) {
if (log.isDebugEnabled())
log.debug( No applicable constraints defined);
return (null);
}
// Did we already do the job ?
Object cached = cache.get(requestURI + :: + method);
// No : let's work a bit
if(cached == null) {
// Determining valid constraints, checking the constraints' url-patterns
against the given requestURI
Map constraintsAndCollections = null;
String bestMatch = ;
for (int i = 0; i allConstraints.length; i++) {
String constraintBestMatch = ;
SecurityCollection[] collections = allConstraints[i].findCollections();
for (int j = 0; j collections.length; j++) {
String patterns[] = collections[j].findPatterns();
for (int k = 0; k patterns.length; k++)
if (allConstraints[i].matchPattern(requestURI, patterns[k])
patterns[k].length() bestMatch.length())
bestMatch = patterns[k];
}
if (constraintBestMatch.length() bestMatch.length())
bestMatch = constraintBestMatch;
}
for (int i = 0; i allConstraints.length; i++) {
SecurityCollection[] collections = allConstraints[i].findCollections();
List matchingWebCollections = null;
for (int j = 0; j collections.length; j++) {
String patterns[] = collections[j].findPatterns();
for (int k = 0; k patterns.length; k++) {
if (bestMatch.equals(patterns[k])) {
if(matchingWebCollections == null)
matchingWebCollections = new ArrayList();
matchingWebCollections.add(collections[j]);
break;
}
}
}
if (matchingWebCollections != null) {
if (constraintsAndCollections == null)
constraintsAndCollections = new HashMap();
constraintsAndCollections.put(allConstraints[i],
matchingWebCollections);
}
}
if (constraintsAndCollections == null) {
cache.put(requestURI + :: + method, NULL_CONSTRAINT);
return null;
}
// Determining valid constraints, checking the constraints' constrained
methods against the given method
Set matchingConstraints = constraintsAndCollections.keySet();
Iterator matchingConstraintsIterator = matchingConstraints.iterator();
while (matchingConstraintsIterator.hasNext()) {
SecurityConstraint constraint = (SecurityConstraint)
matchingConstraintsIterator.next();
List matchingWebCollections = (List)
constraintsAndCollections.get(constraint);
Iterator matchingWebCollectionsIterator =
matchingWebCollections.iterator();
boolean methodIsProtected = false;
while (matchingWebCollectionsIterator.hasNext()) {
SecurityCollection collection = (SecurityCollection)
matchingWebCollectionsIterator.next();
String[] constrainedMethods = collection.findMethods();
if (constrainedMethods == null || constrainedMethods.length == 0) {
methodIsProtected = true;
break;
}
for (int i = 0; i constrainedMethods.length; i++) {
if (method.equals(constrainedMethods[i])) {
methodIsProtected = true;
break;
}
}
if (methodIsProtected)
break;
}
if
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
- Original Message - From: Remy Maucherat [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED] Sent: Thursday, December 11, 2003 1:40 AM Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java [EMAIL PROTECTED] wrote: billbarker2003/12/10 21:50:39 Modified:catalina/src/share/org/apache/catalina Realm.java catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java catalina/src/share/org/apache/catalina/realm RealmBase.java Log: First attempt to get Tomcat compliant with the Servlet 2.4 Spec for AA. This one isn't very efficient (but not much worse than it was before :). Longer term, I'm looking to modify the j-t-c mapper to be able to return a Collection of mapped objects, and use that. In that case it could also be used for Filter mappings. Filter mapping is simple, and should be efficient enough right now. It was really horrible in 4.1.x (except if somehow all filters are mapped to /* or the exact path :-D), and is obviously used a lot more in 5.0.x, so I did fix it. I was planning to use something fancy when I noticed the requirements for this algorithm: - we have try all the mappings in order, which voids any possible optimization - I think we only have a String at our disposal for filter mapping: getting a char array would remove any performance benefit - we don't have to generate any paths or similar stuff from the mapping results - there was this regionMatches method in String that could do that matching test efficiently And the profiler seems happy :) Maybe it's lying though. For the contraint mapping, since we also have to test them all and return yes/no for each, I recommend using a similar custom algorithm. I see your point on char array. I'll probably leave it as Strings. I'll also look at the Filter mapping code. However, the entire point of the exercise is that we *don't* have to test all of the security-constraints. If I have a security-constriaint with a url-pattern/protected/*/url-pattern, and another one with url-pattern*.jsp/url-pattern, then for a request to /myapp/protected/index.jsp, only the first constraint is checked. If you don't believe me, read 12.8.3 ;-). This version is just to get a Spec compliant version out there that can be tested. Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Bill Barker wrote: [EMAIL PROTECTED] wrote: billbarker2003/12/10 21:50:39 Modified:catalina/src/share/org/apache/catalina Realm.java catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java catalina/src/share/org/apache/catalina/realm RealmBase.java Log: First attempt to get Tomcat compliant with the Servlet 2.4 Spec for AA. This one isn't very efficient (but not much worse than it was before :). Longer term, I'm looking to modify the j-t-c mapper to be able to return a Collection of mapped objects, and use that. In that case it could also be used for Filter mappings. Filter mapping is simple, and should be efficient enough right now. It was really horrible in 4.1.x (except if somehow all filters are mapped to /* or the exact path :-D), and is obviously used a lot more in 5.0.x, so I did fix it. I was planning to use something fancy when I noticed the requirements for this algorithm: - we have try all the mappings in order, which voids any possible optimization - I think we only have a String at our disposal for filter mapping: getting a char array would remove any performance benefit - we don't have to generate any paths or similar stuff from the mapping results - there was this regionMatches method in String that could do that matching test efficiently And the profiler seems happy :) Maybe it's lying though. For the contraint mapping, since we also have to test them all and return yes/no for each, I recommend using a similar custom algorithm. I see your point on char array. I'll probably leave it as Strings. I'll also look at the Filter mapping code. However, the entire point of the exercise is that we *don't* have to test all of the security-constraints. If I have a security-constriaint with a url-pattern/protected/*/url-pattern, and another one with url-pattern*.jsp/url-pattern, then for a request to /myapp/protected/index.jsp, only the first constraint is checked. If you don't believe me, read 12.8.3 ;-). Ah, great, so it's a third mapping style then, so a third algorithm ;-) Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
billbarker2003/12/11 22:16:18
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Getting back to strict compliance with the Spec for AAA.
My last patch included and illegal optimization (check methods before checking
path). Now methods are correctly checked after the path has been checked.
Also including some of Remy's optimizations from the Filter mapping code.
This doesn't include Phillepe's idea of caching the mappings. This is largely
because the submitted patch is broken (it assumes that the Realm is configured at the
Context level), but I like the idea. I'd like to add a config switch to cache
security-constraint mapping (defaulting to what the list's opinions are).
Revision ChangesPath
1.21 +69 -64
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- RealmBase.java11 Dec 2003 05:50:39 - 1.20
+++ RealmBase.java12 Dec 2003 06:16:18 - 1.21
@@ -464,18 +464,20 @@
String method = hreq.getMethod();
int i;
+ boolean found = false;
for (i = 0; i constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
-
+
if (log.isDebugEnabled())
log.debug( Checking constraint ' + constraints[i] +
' against + method + + uri + -- +
constraints[i].included(uri, method));
for(int j=0; j collection.length; j++){
-if(collection[j].findMethod(method)) {
-String [] patterns = collection[j].findPatterns();
-for(int k=0; k patterns.length; k++) {
-if(uri.equals(patterns[k])) {
+String [] patterns = collection[j].findPatterns();
+for(int k=0; k patterns.length; k++) {
+if(uri.equals(patterns[k])) {
+found = true;
+if(collection[j].findMethod(method)) {
if(results == null) {
results = new ArrayList();
}
@@ -484,15 +486,12 @@
}
}
}
-}
-if(results != null) {
+ }
+if(found) {
return resultsToArray(results);
}
int longest = -1;
-String testURI = uri;
-if(uri.endsWith(/)) {
-testURI = uri.substring(0,uri.length()-1);
-}
+
for (i = 0; i constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
@@ -501,37 +500,44 @@
' against + method + + uri + -- +
constraints[i].included(uri, method));
for(int j=0; j collection.length; j++){
-if(collection[j].findMethod(method)) {
-String [] patterns = collection[j].findPatterns();
-boolean matched = false;
-int length = -1;
-for(int k=0; k patterns.length; k++) {
-String pattern = patterns[j];
-if(pattern.startsWith(/) pattern.endsWith(/*)
- pattern.length() = longest) {
+String [] patterns = collection[j].findPatterns();
+boolean matched = false;
+int length = -1;
+for(int k=0; k patterns.length; k++) {
+String pattern = patterns[j];
+if(pattern.startsWith(/) pattern.endsWith(/*)
+ pattern.length() = longest) {
-if(pattern.length() == 0) {
-matched = true;
-length = pattern.length();
-} else if(testURI.startsWith(pattern)) {
-matched = true;
-length = pattern.length();
-}
+if(pattern.length() == 2) {
+matched = true;
+length = pattern.length();
+} else if(pattern.regionMatches(0,uri,0,
+ pattern.length()-2)) {
+matched = true;
+
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
billbarker2003/12/11 22:24:36
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Trying to escape the dreaded tap-police ;-).
No functional changes.
Revision ChangesPath
1.22 +9 -9
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- RealmBase.java12 Dec 2003 06:16:18 - 1.21
+++ RealmBase.java12 Dec 2003 06:24:36 - 1.22
@@ -464,7 +464,7 @@
String method = hreq.getMethod();
int i;
- boolean found = false;
+boolean found = false;
for (i = 0; i constraints.length; i++) {
SecurityCollection [] collection = constraints[i].findCollections();
@@ -486,7 +486,7 @@
}
}
}
- }
+}
if(found) {
return resultsToArray(results);
}
@@ -512,7 +512,7 @@
matched = true;
length = pattern.length();
} else if(pattern.regionMatches(0,uri,0,
- pattern.length()-2)) {
+pattern.length()-2)) {
matched = true;
length = pattern.length();
}
@@ -554,8 +554,8 @@
int slash = uri.lastIndexOf(/);
int dot = uri.lastIndexOf(.);
if(slash = 0 dot slash
-dot != uri.length()-1
-uri.length()-dot == pattern.length()-1) {
+ dot != uri.length()-1
+ uri.length()-dot == pattern.length()-1) {
if(pattern.regionMatches(1,uri,dot,uri.length()-dot)) {
matched = true;
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
http://jakarta.apache.org/site/getinvolved.html [EMAIL PROTECTED] 12/9/03 5:40:18 AM How do I join as Developer... Basu. - Original Message - From: Remy Maucherat [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 3:12 PM Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java [EMAIL PROTECTED] wrote: amyroh 2003/12/08 17:54:33 Modified:catalina/src/share/org/apache/catalina/core ApplicationFilterFactory.java catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Revert the patch. Seems like this case is already handled in the Mapper in TC5. M, forget my -1 (I should read *all* my email before replying) :-D Note that there's an open bug about this: bug 25015 (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25015). Could you get some spec related folk to comment on it ? The ex was: http://localhost/appname/servlet-name/extra;path/info;here/hi.jsp Looking at the URI RFC, I think this should be changed to: http://localhost/appname/servlet-name/extra/info/hi.jsp Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Jeff Tulley ([EMAIL PROTECTED]) (801)861-5322 Novell, Inc., The Leading Provider of Net Business Solutions http://www.novell.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
billbarker2003/12/10 21:50:39
Modified:catalina/src/share/org/apache/catalina Realm.java
catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
First attempt to get Tomcat compliant with the Servlet 2.4 Spec for AA.
This one isn't very efficient (but not much worse than it was before :). Longer
term, I'm looking to modify the j-t-c mapper to be able to return a Collection of
mapped objects, and use that. In that case it could also be used for Filter mappings.
This version is just to get a Spec compliant version out there that can be tested.
Reported By: Philippe Leothaud [EMAIL PROTECTED]
Revision ChangesPath
1.6 +6 -6
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/Realm.java
Index: Realm.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/Realm.java,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- Realm.java2 Sep 2003 21:22:05 - 1.5
+++ Realm.java11 Dec 2003 05:50:39 - 1.6
@@ -192,7 +192,7 @@
*/
public boolean hasResourcePermission(HttpRequest request,
HttpResponse response,
- SecurityConstraint constraint,
+ SecurityConstraint [] constraint,
Context context)
throws IOException;
@@ -221,7 +221,7 @@
*/
public boolean hasUserDataPermission(HttpRequest request,
HttpResponse response,
- SecurityConstraint constraint)
+ SecurityConstraint []constraint)
throws IOException;
/**
1.15 +35 -42
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Index: AuthenticatorBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- AuthenticatorBase.java24 Nov 2003 16:46:56 - 1.14
+++ AuthenticatorBase.java11 Dec 2003 05:50:39 - 1.15
@@ -526,27 +526,22 @@
}
int i;
-for(i=0; i constraints.length; i++) {
-if (log.isDebugEnabled()) {
-log.debug( Subject to constraint + constraints[i]);
-}
-// Enforce any user data constraint for this security constraint
+// Enforce any user data constraint for this security constraint
+if (log.isDebugEnabled()) {
+log.debug( Calling hasUserDataPermission());
+}
+if (!realm.hasUserDataPermission(hrequest, hresponse,
+ constraints)) {
if (log.isDebugEnabled()) {
-log.debug( Calling hasUserDataPermission());
-}
-if (!realm.hasUserDataPermission(hrequest, hresponse,
- constraints[i])) {
-if (log.isDebugEnabled()) {
-log.debug( Failed hasUserDataPermission() test);
-}
-/*
- * ASSERT: Authenticator already set the appropriate
- * HTTP status code, so we do not have to do anything special
- */
-return;
+log.debug( Failed hasUserDataPermission() test);
}
+/*
+ * ASSERT: Authenticator already set the appropriate
+ * HTTP status code, so we do not have to do anything special
+ */
+return;
}
-
+
for(i=0; i constraints.length; i++) {
// Authenticate based upon the specified login configuration
if (constraints[i].getAuthConstraint()) {
@@ -563,30 +558,28 @@
* special
*/
return;
+} else {
+break;
}
}
-
-// Perform access control based on the specified role(s)
-if (constraints[i].getAuthConstraint()) {
-if (log.isDebugEnabled()) {
-log.debug( Calling accessControl());
-}
-if (!realm.hasResourcePermission(hrequest, hresponse,
-
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
[EMAIL PROTECTED] wrote: amyroh 2003/12/08 16:50:58 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Strip out uri parameters (;*) during filter mappings or security constraints matching - bugtraq 4903209. -1 for all these patches. I'd like an explanation of what the problem actually is (all URI parameters are stripped early on before going in the Catalina pipeline). Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
[EMAIL PROTECTED] wrote: amyroh 2003/12/08 17:54:33 Modified:catalina/src/share/org/apache/catalina/core ApplicationFilterFactory.java catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Revert the patch. Seems like this case is already handled in the Mapper in TC5. M, forget my -1 (I should read *all* my email before replying) :-D Note that there's an open bug about this: bug 25015 (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25015). Could you get some spec related folk to comment on it ? The ex was: http://localhost/appname/servlet-name/extra;path/info;here/hi.jsp Looking at the URI RFC, I think this should be changed to: http://localhost/appname/servlet-name/extra/info/hi.jsp Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
How do I join as Developer... Basu. - Original Message - From: Remy Maucherat [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED] Sent: Tuesday, December 09, 2003 3:12 PM Subject: Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java [EMAIL PROTECTED] wrote: amyroh 2003/12/08 17:54:33 Modified:catalina/src/share/org/apache/catalina/core ApplicationFilterFactory.java catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Revert the patch. Seems like this case is already handled in the Mapper in TC5. M, forget my -1 (I should read *all* my email before replying) :-D Note that there's an open bug about this: bug 25015 (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25015). Could you get some spec related folk to comment on it ? The ex was: http://localhost/appname/servlet-name/extra;path/info;here/hi.jsp Looking at the URI RFC, I think this should be changed to: http://localhost/appname/servlet-name/extra/info/hi.jsp Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Remy Maucherat wrote: [EMAIL PROTECTED] wrote: amyroh 2003/12/08 17:54:33 Modified:catalina/src/share/org/apache/catalina/core ApplicationFilterFactory.java catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Revert the patch. Seems like this case is already handled in the Mapper in TC5. M, forget my -1 (I should read *all* my email before replying) :-D Note that there's an open bug about this: bug 25015 (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25015). Could you get some spec related folk to comment on it ? Servlet spec folks talked about this (parameters in path and whether getpathinfo should return them or not), and they couldn't get the consensus. Most people seem to like that getPathInfo should NOT include the parameters, but we haven't had a thorough discussion and that's listed as an item for the next version of the spec. So, for now, it's container-specific but the servlet spec lead recommends to remove them. Amy The ex was: http://localhost/appname/servlet-name/extra;path/info;here/hi.jsp Looking at the URI RFC, I think this should be changed to: http://localhost/appname/servlet-name/extra/info/hi.jsp Rémy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
amyroh 2003/12/08 16:50:58
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Strip out uri parameters (;*) during filter mappings or security constraints
matching - bugtraq 4903209.
Revision ChangesPath
1.18 +16 -4
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- RealmBase.java2 Sep 2003 21:22:05 - 1.17
+++ RealmBase.java9 Dec 2003 00:50:58 - 1.18
@@ -460,6 +460,18 @@
String contextPath = hreq.getContextPath();
if (contextPath.length() 0)
uri = uri.substring(contextPath.length());
+
+if (uri != null) {
+int semicolon = uri.indexOf(;);
+if (semicolon = 0) {
+String baseuri = uri.substring(0, semicolon);
+if (debug = 2)
+log(Request uri ' + uri + ' treated as ' + baseuri +
+' for security constraint matching.);
+uri = baseuri;
+}
+}
+
String method = hreq.getMethod();
for (int i = 0; i constraints.length; i++) {
if (log.isDebugEnabled())
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
amyroh 2003/12/08 17:54:33
Modified:catalina/src/share/org/apache/catalina/core
ApplicationFilterFactory.java
catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Revert the patch. Seems like this case is already handled in the Mapper in TC5.
Revision ChangesPath
1.13 +3 -7
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationFilterFactory.java
Index: ApplicationFilterFactory.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationFilterFactory.java,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- ApplicationFilterFactory.java 9 Dec 2003 00:50:28 - 1.12
+++ ApplicationFilterFactory.java 9 Dec 2003 01:54:33 - 1.13
@@ -156,10 +156,6 @@
if (attribute != null){
requestPath = attribute.toString();
-int semicolon = requestPath.indexOf(;);
-if (semicolon = 0) {
-requestPath = requestPath.substring(0, semicolon);
-}
}
HttpServletRequest hreq = null;
1.19 +4 -15
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- RealmBase.java9 Dec 2003 00:50:58 - 1.18
+++ RealmBase.java9 Dec 2003 01:54:33 - 1.19
@@ -461,17 +461,6 @@
if (contextPath.length() 0)
uri = uri.substring(contextPath.length());
-if (uri != null) {
-int semicolon = uri.indexOf(;);
-if (semicolon = 0) {
-String baseuri = uri.substring(0, semicolon);
-if (debug = 2)
-log(Request uri ' + uri + ' treated as ' + baseuri +
-' for security constraint matching.);
-uri = baseuri;
-}
-}
-
String method = hreq.getMethod();
for (int i = 0; i constraints.length; i++) {
if (log.isDebugEnabled())
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
billbarker2003/08/25 21:04:56 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: Simplifying the code by hiding the arrayCopy. No real functional changes. Revision ChangesPath 1.15 +5 -5 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java Index: RealmBase.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- RealmBase.java25 Jul 2003 05:06:49 - 1.14 +++ RealmBase.java26 Aug 2003 04:04:56 - 1.15 @@ -487,7 +487,7 @@ if(results == null) return null; SecurityConstraint [] array = new SecurityConstraint [results.size()]; -System.arraycopy(results.toArray(), 0, array, 0, array.length); +results.toArray(array); return array; } - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
remm2003/08/26 01:46:48
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
- Bug 22698: Restore RealmBase.main(). There doesn't seem to be any side
effect, so there's no reason to remove it at this time.
Revision ChangesPath
1.16 +23 -22
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- RealmBase.java26 Aug 2003 04:04:56 - 1.15
+++ RealmBase.java26 Aug 2003 08:46:48 - 1.16
@@ -987,24 +987,25 @@
}
-///**
-// * Digest password using the algorithm especificied and
-// * convert the result to a corresponding hex string.
-// * If exception, the plain credentials string is returned
-// */
-//public static void main(String args[]) {
-//
-//if(args.length 2 args[0].equalsIgnoreCase(-a)) {
-//for(int i=2; i args.length ; i++){
-//System.out.print(args[i]+:);
-//System.out.println(Digest(args[i], args[1]));
-//}
-//} else {
-//System.out.println
-//(Usage: RealmBase -a algorithm credentials);
-//}
-//
-//}
+/**
+ * Digest password using the algorithm especificied and
+ * convert the result to a corresponding hex string.
+ * If exception, the plain credentials string is returned
+ */
+public static void main(String args[]) {
+
+if(args.length 2 args[0].equalsIgnoreCase(-a)) {
+for(int i=2; i args.length ; i++){
+System.out.print(args[i]+:);
+System.out.println(Digest(args[i], args[1]));
+}
+} else {
+System.out.println
+(Usage: RealmBase -a algorithm credentials);
+}
+
+}
+
// JMX and Registration
protected String type;
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
remm2003/05/27 10:02:36
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
- Refactor without using SSL URLs, similar to what is done for sendRedirect.
Revision ChangesPath
1.13 +15 -22
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- RealmBase.java23 Apr 2003 16:14:12 - 1.12
+++ RealmBase.java27 May 2003 17:02:36 - 1.13
@@ -72,8 +72,6 @@
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.io.IOException;
-import java.net.URL;
-import java.net.MalformedURLException;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
@@ -669,9 +667,15 @@
}
// Redirect to the corresponding SSL port
+StringBuffer file = new StringBuffer();
String protocol = https;
String host = hrequest.getServerName();
-StringBuffer file = new StringBuffer(hrequest.getRequestURI());
+// Protocol
+file.append(protocol).append(://);
+// Host with port
+file.append(host).append(:).append(redirectPort);
+// URI
+file.append(hrequest.getRequestURI());
String requestedSessionId = hrequest.getRequestedSessionId();
if ((requestedSessionId != null)
hrequest.isRequestedSessionIdFromURL()) {
@@ -683,21 +687,10 @@
file.append('?');
file.append(queryString);
}
-URL url = null;
-try {
-url = new URL(protocol, host, redirectPort, file.toString());
-if (log.isDebugEnabled())
-log.debug( Redirecting to + url.toString());
-hresponse.sendRedirect(url.toString());
-return (false);
-} catch (MalformedURLException e) {
-if (log.isDebugEnabled())
-log.debug( Cannot create new URL, e);
-hresponse.sendError
-(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
- hrequest.getRequestURI());
-return (false);
-}
+if (log.isDebugEnabled())
+log.debug( Redirecting to + file.toString());
+hresponse.sendRedirect(file.toString());
+return (false);
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 27, 2003 10:02 AM Subject: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java remm2003/05/27 10:02:36 Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java Log: - Refactor without using SSL URLs, similar to what is done for sendRedirect. Revision ChangesPath 1.13 +15 -22 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBa se.java Index: RealmBase.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/rea lm/RealmBase.java,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- RealmBase.java 23 Apr 2003 16:14:12 - 1.12 +++ RealmBase.java 27 May 2003 17:02:36 - 1.13 @@ -72,8 +72,6 @@ import java.security.NoSuchAlgorithmException; import java.security.cert.X509Certificate; import java.io.IOException; -import java.net.URL; -import java.net.MalformedURLException; import java.util.Set; import javax.servlet.http.HttpServletRequest; @@ -669,9 +667,15 @@ } // Redirect to the corresponding SSL port +StringBuffer file = new StringBuffer(); String protocol = https; String host = hrequest.getServerName(); -StringBuffer file = new StringBuffer(hrequest.getRequestURI()); +// Protocol +file.append(protocol).append(://); +// Host with port +file.append(host).append(:).append(redirectPort); +// URI +file.append(hrequest.getRequestURI()); I really don't like the redirect to https:host:443/ The easiest fix would have been to simply change the import from java.net.URL to org.apache.catalina.util.URL (or org.apache.tomcat.util.net.URL, they are much the same). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
costin 2003/03/20 07:57:40
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Simplify ( refactored common operations )
Start work on unregistration.
Revision ChangesPath
1.8 +18 -29
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- RealmBase.java17 Mar 2003 19:24:13 - 1.7
+++ RealmBase.java20 Mar 2003 15:57:39 - 1.8
@@ -81,10 +81,6 @@
import javax.management.ObjectName;
import javax.management.MBeanServer;
import javax.management.MBeanRegistration;
-import javax.management.InstanceNotFoundException;
-import javax.management.MBeanException;
-import javax.management.ReflectionException;
-import javax.management.MalformedObjectNameException;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
@@ -98,6 +94,7 @@
import org.apache.catalina.core.StandardEngine;
import org.apache.catalina.core.StandardHost;
import org.apache.catalina.core.StandardContext;
+import org.apache.catalina.core.ContainerBase;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
@@ -995,8 +992,17 @@
protected String host;
protected String path;
protected ObjectName oname;
+protected ObjectName controller;
protected MBeanServer mserver;
+public ObjectName getController() {
+return controller;
+}
+
+public void setController(ObjectName controller) {
+this.controller = controller;
+}
+
public ObjectName getObjectName() {
return oname;
}
@@ -1040,22 +1046,17 @@
if( container== null ) {
// Register with the parent
try {
-Set names=null;
+ObjectName parent=null;
if( host == null ) {
// global
-names=mserver.queryNames(new ObjectName(domain
+:type=Engine,*), null);
+parent=new ObjectName(domain +:type=Engine);
} else if( path==null ) {
-names=mserver.queryNames(new ObjectName(domain +
-:type=Host,host= + host +,*), null);
+parent=new ObjectName(domain +
+:type=Host,host= + host);
} else {
-names=mserver.queryNames(new ObjectName(domain
+:j2eeType=WebModule,name=// +
-host + / + path + ,*), null);
-}
-if( names.size() == 0 ) {
-log.error(Can't register, no object found + oname );
-return;
+parent=new ObjectName(domain +:j2eeType=WebModule,name=// +
+host + / + path);
}
-ObjectName parent=(ObjectName)names.iterator().next();
log.info(Register with + parent);
mserver.invoke(parent, setRealm, new Object[] {this},
new String[] {org.apache.catalina.Realm});
@@ -1067,21 +1068,9 @@
if( oname==null ) {
// register
try {
-StandardEngine engine=null;
-String suffix=;
-if( container instanceof StandardEngine ) {
-engine=(StandardEngine)container;
-} else if( container instanceof StandardHost ) {
-engine=(StandardEngine)container.getParent();
-suffix=,host= + container.getName();
-} else if( container instanceof StandardContext ) {
-engine=(StandardEngine)container.getParent().getParent();
-suffix=,host= + container.getParent().getName() +
-,path= + ((StandardContext)container).getPath();
-}
-oname=new ObjectName(engine.getDomain()+ :type=Realm + suffix);
+ContainerBase cb=(ContainerBase)container;
+oname=new ObjectName(cb.getDomain()+:type=Realm +
cb.getContainerSuffix());
Registry.getRegistry().registerComponent(this, oname, null );
-
} catch (Throwable e) {
e.printStackTrace(); //To change body of catch statement use
Options | File Templates.
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
costin 2003/03/17 11:24:13
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
Registration.
I also commented out main() - if it is really used, it should be in a separate
class - in startup for example.
The main() in Embeded should also be removed ( it seems like test code )
Revision ChangesPath
1.7 +87 -46
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- RealmBase.java12 Mar 2003 06:52:14 - 1.6
+++ RealmBase.java17 Mar 2003 19:24:13 - 1.7
@@ -81,6 +81,10 @@
import javax.management.ObjectName;
import javax.management.MBeanServer;
import javax.management.MBeanRegistration;
+import javax.management.InstanceNotFoundException;
+import javax.management.MBeanException;
+import javax.management.ReflectionException;
+import javax.management.MalformedObjectNameException;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
@@ -91,6 +95,9 @@
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.Logger;
import org.apache.catalina.Realm;
+import org.apache.catalina.core.StandardEngine;
+import org.apache.catalina.core.StandardHost;
+import org.apache.catalina.core.StandardContext;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
@@ -101,6 +108,7 @@
import org.apache.catalina.util.MD5Encoder;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.commons.modeler.Registry;
/**
* Simple implementation of bRealm/b that reads an XML file to configure
@@ -762,6 +770,9 @@
log.info(sm.getString(realmBase.alreadyStarted));
return;
}
+if( !initialized ) {
+init();
+}
lifecycle.fireLifecycleEvent(START_EVENT, null);
started = true;
@@ -959,24 +970,24 @@
}
-/**
- * Digest password using the algorithm especificied and
- * convert the result to a corresponding hex string.
- * If exception, the plain credentials string is returned
- */
-public static void main(String args[]) {
-
-if(args.length 2 args[0].equalsIgnoreCase(-a)) {
-for(int i=2; i args.length ; i++){
-System.out.print(args[i]+:);
-System.out.println(Digest(args[i], args[1]));
-}
-} else {
-System.out.println
-(Usage: RealmBase -a algorithm credentials);
-}
-
-}
+///**
+// * Digest password using the algorithm especificied and
+// * convert the result to a corresponding hex string.
+// * If exception, the plain credentials string is returned
+// */
+//public static void main(String args[]) {
+//
+//if(args.length 2 args[0].equalsIgnoreCase(-a)) {
+//for(int i=2; i args.length ; i++){
+//System.out.print(args[i]+:);
+//System.out.println(Digest(args[i], args[1]));
+//}
+//} else {
+//System.out.println
+//(Usage: RealmBase -a algorithm credentials);
+//}
+//
+//}
// JMX and Registration
protected String type;
@@ -1020,32 +1031,62 @@
public void postDeregister() {
}
-public void init() throws Exception {
-if( container!= null ) {
-return;
-}
-
-// Register with the parent
-Set names=null;
-if( host == null ) {
-// global
-names=mserver.queryNames(new ObjectName(domain +:type=Engine,*),
null);
-} else if( path==null ) {
-names=mserver.queryNames(new ObjectName(domain +
-:type=Host,host= + host +,*), null);
-} else {
-names=mserver.queryNames(new ObjectName(domain
+:j2eeType=WebModule,name=// +
-host + / + path + ,*), null);
+protected boolean initialized=false;
+
+public void init() {
+if( initialized ) return;
+
+initialized=true;
+if( container== null ) {
+// Register with the parent
+try {
+Set names=null;
+if( host == null ) {
+// global
+names=mserver.queryNames(new ObjectName(domain
+:type=Engine,*), null);
+} else if(
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
remm2002/08/15 10:47:04
Modified:catalina/src/share/org/apache/catalina/realm RealmBase.java
Log:
- Remove double URI decoding.
- This could improve performance as well as fix i18n issues.
- This may have been a security issue.
- Reported by Juergen Pill Juergen.Pill at softwareag.com
Revision ChangesPath
1.4 +4 -5
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java
Index: RealmBase.java
===
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- RealmBase.java9 Aug 2002 01:12:39 - 1.3
+++ RealmBase.java15 Aug 2002 17:47:04 - 1.4
@@ -455,7 +455,6 @@
String contextPath = hreq.getContextPath();
if (contextPath.length() 0)
uri = uri.substring(contextPath.length());
-uri = RequestUtil.URLDecode(uri); // Before checking constraints
String method = hreq.getMethod();
for (int i = 0; i constraints.length; i++) {
if (debug = 2)
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
