Author: markt Date: Mon Aug 27 21:28:04 2012 New Revision: 1377878 URL: http://svn.apache.org/viewvc?rev=1377878&view=rev Log: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53584 Ignore path parameters when comparing URIs for FORM authentication. This prevents users being prompted twice for passwords when logging in when session IDs are being encoded as path parameters.
Modified: tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/SavedRequest.java tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1377878&r1=1377877&r2=1377878&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Mon Aug 27 21:28:04 2012 @@ -136,16 +136,6 @@ PATCHES PROPOSED TO BACKPORT: +1: kfujino, kkolinko -1: -* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53584 - Ignore path parameters when comparing URIs for FORM authentication. This - prevents users being prompted twice for passwords when logging in when session - IDs are being encoded as path parameters. - http://svn.apache.org/viewvc?rev=1370537&view=rev - http://svn.apache.org/viewvc?rev=1372390&view=rev (addresses kkolinko's -1) - +1: markt, schultz - +1: kkolinko (OK, my concerns were addressed) - -1: - * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53481 Add support for SSLHonorCipherOrder http://svn.apache.org/viewvc?view=revision&revision=1371298 Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1377878&r1=1377877&r2=1377878&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Mon Aug 27 21:28:04 2012 @@ -397,11 +397,11 @@ public class FormAuthenticator return (false); // Does the request URI match? - String requestURI = request.getRequestURI(); - if (requestURI == null) + String decodedRequestURI = request.getDecodedRequestURI(); + if (decodedRequestURI == null) { return (false); - return (requestURI.equals(sreq.getRequestURI())); - + } + return (decodedRequestURI.equals(sreq.getDecodedRequestURI())); } @@ -547,6 +547,7 @@ public class FormAuthenticator saved.setMethod(request.getMethod()); saved.setQueryString(request.getQueryString()); saved.setRequestURI(request.getRequestURI()); + saved.setDecodedRequestURI(request.getDecodedRequestURI()); // Stash the SavedRequest in our session for later use session.setNote(Constants.FORM_REQUEST_NOTE, saved); Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/SavedRequest.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/SavedRequest.java?rev=1377878&r1=1377877&r2=1377878&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/SavedRequest.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/SavedRequest.java Mon Aug 27 21:28:04 2012 @@ -169,6 +169,21 @@ public final class SavedRequest { /** + * The decode request URI associated with this Request. Path parameters are + * also excluded + */ + private String decodedRequestURI = null; + + public String getDecodedRequestURI() { + return (this.decodedRequestURI); + } + + public void setDecodedRequestURI(String decodedRequestURI) { + this.decodedRequestURI = decodedRequestURI; + } + + + /** * The body of this request. */ private ByteChunk body = null; Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1377878&r1=1377877&r2=1377878&view=diff ============================================================================== --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Mon Aug 27 21:28:04 2012 @@ -180,6 +180,12 @@ serializable so that it can be replicated across a cluster and/or persisted across Tomcat restarts. (markt) </fix> + <fix> + <bug>53584</bug>: Ignore path parameters when comparing URIs for FORM + authentication. This prevents users being prompted twice for passwords + when logging in when session IDs are being encoded as path parameters. + (markt) + </fix> </changelog> </subsection> <subsection name="Coyote"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org