DO NOT REPLY [Bug 34560] - AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints

2005-04-24 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34560


[EMAIL PROTECTED] changed:

   What|Removed |Added

  Attachment #14814|0   |1
is obsolete||




--- Additional Comments From [EMAIL PROTECTED]  2005-04-24 18:56 ---
Created an attachment (id=14824)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=14824&action=view)
'diff' version of the patch

diff made with textpad, a nice alternative to the non-pc-friendly ways
suggested.


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 34560] - AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints

2005-04-24 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34560





--- Additional Comments From [EMAIL PROTECTED]  2005-04-24 18:26 ---
Thank you for your dedication and research.
I read that servlet spec 12.8.

It is very clear to me that the transport constraint is orthogonal to the
authentication constraint.

That is, a 'confidential' transport may not obviously require authentication.
That is especially true for web site that are fully https to avoid mixed
secure/unsecure content warnings on browsers, while allowing decent caching for
ressources that do not need authentication/autorization, like js, css, gifs...

I'm not suggesting to change any of the current logic surrounding
confidential/integral/none. I'm highlighting that the 'de-caching' headers must
only be applied when the authentication is required, which has nothing to do
with transport contraints.

Meanwhile, the http spec is stating that autorization must be challenged
everytime and resources, if cached, cannot bypass the authentication. It doesn't
mention anything specific to the ssl nature (or else) of the lower layer
transporting http content.

Thanks again.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 34560] - AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints

2005-04-23 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34560





--- Additional Comments From [EMAIL PROTECTED]  2005-04-24 01:36 ---
Please see http://jakarta.apache.org/site/source.html#Patches for the format 
that patches should be submitted in.

That having been said, I'm -1 for the patch as is.  As I read section 12.8 of 
the servlet spec, the headers should be added for a transport-guarantee of 
CONFIDENTIAL.  I agree that it is optional for a transport-guarantee of 
INTEGRAL.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 34560] - AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints

2005-04-23 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34560





--- Additional Comments From [EMAIL PROTECTED]  2005-04-24 00:13 ---
Created an attachment (id=14814)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=14814&action=view)
patch to head cvs (1.30)

line 437:

//+ ASF Bugzilla Bug 34560 fix:
boolean requireAuthentication = false;
for(i=0; i < constraints.length; i++) {
if (constraints[i].getAuthConstraint()) {
requireAuthentication=true;
break;
}
}
//+


// Make sure that constrained resources are not cached by web proxies
// or browsers as caching can provide a security hole
if (requireAuthentication && disableProxyCaching && //+ SSL can be
cached (by browser only, and by user choice), authenticated resources must not.


[...]


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 34560] - AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints

2005-04-23 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34560





--- Additional Comments From [EMAIL PROTECTED]  2005-04-23 09:40 ---
If the fix is trivial, and you want us to reconsider, you should submit a tested
patch against CVS HEAD.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 34560] - AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints

2005-04-22 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34560


[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|WONTFIX |




--- Additional Comments From [EMAIL PROTECTED]  2005-04-23 04:56 ---
In order to respect the authentication spec rfc2616-14.8, although the
authorization is made by a form and not a header, the FormAuthenticator valve
was capable of emulating the proper caching constraints. The code is
manipulating the correct headers but under innacurate circumstances.

The problem is not related to the 
tags. It has to do with the abscence of  tags.

The FormAuthenticator valve is visited for mappings that do not require
authentication. That alone is questionnable, but assuming the valve may perform
other contract, I supposed this visit is unavoidable. However, within the
mandate of performing authentication based operations, the valve should restrict
itself to mappings that strictly have at least 1 role.

Like I said, every tomcat application out there is silently suffering from
non-cached static ressources because:
1-the valve intercepts EVERY request, even if not matching the url pattern
AND 
2-the valve do not recognize the abscence of authentication constraints.

Thanks for reconsidering.

PS:...especially since the fix is trivial:
(skip if constraints==null || constraints.length=0 || all of
constraints[i].getAuthConstraint()==false)

PS:You might want to consult http://www.mnot.net/cache_docs/
and other doc like the rfc 2616
http://www.w3.org/Protocols/rfc2616/rfc2616.html
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.8

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 34560] - AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints

2005-04-22 Thread bugzilla 
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34560


[EMAIL PROTECTED] changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||WONTFIX




--- Additional Comments From [EMAIL PROTECTED]  2005-04-22 21:05 ---
You might have a case for INTEGRAL, but not CONFIDENTIAL.  But even then it's 
a corner-case that is unlikely to attract much developer interest.

You can always configure disableProxyCaching="false" on the Authenticator to 
disable this, or add a Filter that overrides Tomcat's choice of headers.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug, or are watching the assignee.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]