Re: Tomcat 4.x auth issue
Bill Barker wrote: I'm hardly a 4.x expert, but this looks like it will solve the major problem. This fix will still send an Auth to /myapp if you first request /myapp/protected, but that shouldn't be too much of a problem. In 5.0, I think that the spec is going to eventually require that we move the logic to the Mapper however. Which BTW is not implementable in the general case; if you allow only physical resources, it should be possible, though. (at least, if you find a way which works, let me know) Remy -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Tomcat 4.x auth issue
Tomcat 4.x has a problem -- it challenges for auth prior to any redirects. This is wrong because it causes most browsers to cache auth info for the entire domain when hitting top-level directories. For example: WRONG way: GET /foo - 401 GET /foo with auth - 301 to /foo/index.html GET /foo/index.html with auth - 200 GET /bar WITH auth .. (browser will send auth to entire doman!) RIGHT way: (Apache being the best example) GET /foo - 301 to /foo/index.html GET /foo/index.html- 401 GET /foo/index.html with auth - 200 GET /bar WITHOUT auth It looks like this is difficult to fix since the is this a directory? Are there welcome files? logic needs to move up out of DefaultServlet to a location in the request chain prior to the auth valve. Any better ideas are welcome as I begin hacking.. Keith -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat 4.x auth issue
The bugfix turned out to be a one-liner: Index: SecurityConstraint.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/de ploy/SecurityConstraint.java,v retrieving revision 1.5 diff -u -r1.5 SecurityConstraint.java --- SecurityConstraint.java 22 Jul 2001 20:25:10 - 1.5 +++ SecurityConstraint.java 4 Jul 2002 02:50:10 - @@ -455,7 +455,7 @@ // Normalize the argument strings if ((path == null) || (path.length() == 0)) -path = /; +return(false); if ((pattern == null) || (pattern.length() == 0)) pattern = /; I'll apply this fix if someone more versed in 4.x approves it. Keith | -Original Message- | From: Keith Wannamaker [mailto:[EMAIL PROTECTED]] | Sent: Wednesday, July 03, 2002 7:34 PM | To: [EMAIL PROTECTED] | Subject: Tomcat 4.x auth issue | | | Tomcat 4.x has a problem -- it challenges for auth | prior to any redirects. This is wrong because it causes | most browsers to cache auth info for the entire domain | when hitting top-level directories. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat 4.x auth issue
I'm hardly a 4.x expert, but this looks like it will solve the major problem. This fix will still send an Auth to /myapp if you first request /myapp/protected, but that shouldn't be too much of a problem. In 5.0, I think that the spec is going to eventually require that we move the logic to the Mapper however. - Original Message - From: Keith Wannamaker [EMAIL PROTECTED] To: Tomcat Developers List [EMAIL PROTECTED] Sent: Wednesday, July 03, 2002 8:55 PM Subject: RE: Tomcat 4.x auth issue The bugfix turned out to be a one-liner: Index: SecurityConstraint.java === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/de ploy/SecurityConstraint.java,v retrieving revision 1.5 diff -u -r1.5 SecurityConstraint.java --- SecurityConstraint.java 22 Jul 2001 20:25:10 - 1.5 +++ SecurityConstraint.java 4 Jul 2002 02:50:10 - @@ -455,7 +455,7 @@ // Normalize the argument strings if ((path == null) || (path.length() == 0)) -path = /; +return(false); if ((pattern == null) || (pattern.length() == 0)) pattern = /; I'll apply this fix if someone more versed in 4.x approves it. Keith | -Original Message- | From: Keith Wannamaker [mailto:[EMAIL PROTECTED]] | Sent: Wednesday, July 03, 2002 7:34 PM | To: [EMAIL PROTECTED] | Subject: Tomcat 4.x auth issue | | | Tomcat 4.x has a problem -- it challenges for auth | prior to any redirects. This is wrong because it causes | most browsers to cache auth info for the entire domain | when hitting top-level directories. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]