Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-25 Thread Remy Maucherat
Costin Manolache wrote:
Remy Maucherat wrote:
IE is still (unfortunately) the browser used by a lot of people, and if
there is a way to work around IE brokeness - I think it's a good idea to 
do it.

Complaining to M$ doesn't work - people will just end up buying IIS 
instead :-)

Seriously, not sure why is the veto invalid - if the choice is between 
Because the change is integrated in all 5.x stable releases, and because 
it is just too old. It should be plainly obvious.

having it working for 90% of the people and doing it 'right' - it is 
worth probably more discussion and a pragmatic decision :-) I would vote 
for fixing it for the 90% of people - at least until IE gets down to 
some 49%.
The issue obviously does not affect 90% of people (if it was, we'd have 
more than a few people complaining, it should be obvious ...), as the IE 
bug is a specific situation, unlike what Keith's FUD would want to show. 
However, it used to completely break Mozilla under SSL (as a compromise, 
I asked for Keith to show good faith and test it again, but all he 
seemed to be interested in is least effort in getting his patch in).

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-24 Thread Costin Manolache
Remy Maucherat wrote:
Keith Wannamaker wrote:
If no one else is concerned that Tomcat 5.5 doesn't work by default

Any other nonsensical statement to make ? The only thing that does not 
work is opening third party documents from the website, due to IE's 
broken handling of this.

How about a) going whining at M$ instead ? b) using appropriate 
configuration.

Your veto is completely invalid anyway.
IE is still (unfortunately) the browser used by a lot of people, and if
there is a way to work around IE brokeness - I think it's a good idea to 
do it.

Complaining to M$ doesn't work - people will just end up buying IIS 
instead :-)

Seriously, not sure why is the veto invalid - if the choice is between 
having it working for 90% of the people and doing it 'right' - it is 
worth probably more discussion and a pragmatic decision :-) I would vote 
for fixing it for the 90% of people - at least until IE gets down to 
some 49%.

Costin
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-21 Thread keith
keith   2005/04/21 06:01:45

  Modified:catalina/src/share/org/apache/catalina/authenticator Tag:
TOMCAT_5_0 AuthenticatorBase.java
  Log:
  [34083, 27122, 28662, 29336, 29975, and 30618]
  Back out my previous change at Remy's wish so now Tomcat 5.0 too
  is incompatible with Internet Explorer under SSL by default.
  
  Revision  ChangesPath
  No   revision
  No   revision
  1.19.2.2  +3 -2  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.19.2.1
  retrieving revision 1.19.2.2
  diff -u -r1.19.2.1 -r1.19.2.2
  --- AuthenticatorBase.java18 Apr 2005 20:20:46 -  1.19.2.1
  +++ AuthenticatorBase.java21 Apr 2005 13:01:45 -  1.19.2.2
  @@ -473,7 +473,8 @@
   !POST.equalsIgnoreCase(hsrequest.getMethod())) {
   HttpServletResponse sresponse = 
   (HttpServletResponse) response.getResponse();
  -sresponse.setHeader(Cache-Control, private);
  +sresponse.setHeader(Pragma, No-cache);
  +sresponse.setHeader(Cache-Control, no-cache);
   sresponse.setHeader(Expires, DATE_ONE);
   }
   
  
  
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-21 Thread Keith Wannamaker
No one has commented so I withdraw my (valid) veto and I'll roll back
5.0 per Remy's wish.  I'm disappointed because I remember when Tomcat 
was an open-source project.

Keith
My veto of this change still stands, and it would be your responsibility 
of finding a fix more compatible with IE.  If no one else besides me 
thinks IE compatibility is important, head of tree is fine and I will 
withdraw my veto.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-19 Thread Remy Maucherat
Keith Wannamaker wrote:
I read:
// FIXME: Disabled for Mozilla FORM support over SSL
// (improper caching issue)
Indeed (I now remember the issue), there would be serious issues 
should this not be the default.
The issue here is, apparently, that Mozilla has a caching bug we are 
working around, so we have to disable caching.  However, I don't know 
that the broken Mozilla agent requires the Pragma header to do this.
It would be needed to test it. Unfortunately, I didn't mention the bug 
id (assuming there was one), so I don't know exactly what should be tested.

Now, I think you are misrepresenting the IE issue, and it's not such a 
big issue. 
Here is a test war for you and those interested,
http://apache.org/~keith/ietest.war.  If you deploy this you will see 
that you cannot download the one file in the webapp with IE with head of 
tree.  If you comment out the pragma header in AuthenticatorBase, it 
works fine.

Despite your renaming, I want to emphasize that I am not talking about 
the cache-control header, and am fine with it being either private or 
no-cache.
The old name was bad. If you want to change it again to something 
better, it's fine.

I am perfectly fine with adding new configurability and documenting it 
properly, but defaults should lean towards the safer solution.
I disagree, defaults should be friendly to the largest client base.
Good, I obviously disagree.
BTW, I really don't see any problem with not using the defaults, and 
actually configuring something. Is that really a big issue for you and 
the people who reported this problem ? For example, in JBoss, I use a 
different default configuration and I don't make a big issue out of it.
I think Tomcat should work with IE under SSL, and yes, I think it is a 
big issue that Tomcat doesn't, out of the box.
I am really annoyed because I see more and more people trying to shove 
down people's throat whatever defaults they like best. This leads to 
improductive discussions. As a result, I'd like to stop here, and move 
on (especially since I don't see the issue as a major problem - the 
mozilla issue, however, was a major problem, as it was potentially 
displaying wrong stuff to users).

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-19 Thread Keith Wannamaker
Remy, I have to -1 your change in AuthenticatorBase 1.13.  You broke a 
larger case than you fixed -- Mozilla may work now but IE doesn't.  See 
bugs 34083, 27122, 28662, 29336, 29975, and 30618 for the IE problem. 
Mozilla should be fixed in a way compatible with IE.

By uncommenting !isSecure, my change in 1.26 and on can all be backed out.
If no one else is concerned that Tomcat 5.5 doesn't work by default with 
IE under SSL, then I'll withdraw my veto and rename the attribute I 
added to 'securePagesWithPragma' and make the pragma conditional, with a 
default of being included.

Keith
Remy Maucherat wrote:
I see more and more people trying to shove 
down people's throat whatever defaults they like best. 
:-) me too
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-19 Thread Remy Maucherat
Keith Wannamaker wrote:
If no one else is concerned that Tomcat 5.5 doesn't work by default
Any other nonsensical statement to make ? The only thing that does not 
work is opening third party documents from the website, due to IE's 
broken handling of this.

How about a) going whining at M$ instead ? b) using appropriate 
configuration.

Your veto is completely invalid anyway.
Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-19 Thread remm
remm2005/04/19 06:35:16

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  - Remove inaccurate comments.
  - Change field name as suggested.
  
  Revision  ChangesPath
  1.29  +10 -13
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.28
  retrieving revision 1.29
  diff -u -r1.28 -r1.29
  --- AuthenticatorBase.java18 Apr 2005 21:48:14 -  1.28
  +++ AuthenticatorBase.java19 Apr 2005 13:35:16 -  1.29
  @@ -147,7 +147,7 @@
* Flag to determine if we disable proxy caching with headers compatible
* with IE 
*/
  -protected boolean securePagesAsPrivate = false;
  +protected boolean securePagesWithPragma = false;
   
   /**
* The lifecycle event support for this component.
  @@ -350,8 +350,8 @@
* Return the flag that states, if proxy caching is disabled, what 
headers
* we add to disable the caching.  
*/
  -public boolean getSecurePagesAsPrivate() {
  -return securePagesAsPrivate;
  +public boolean getSecurePagesWithPragma() {
  +return securePagesWithPragma;
   }
   
   /**
  @@ -361,8 +361,8 @@
* generally compatible, codefalse/code if add headers which aren't
* known to be compatible.
*/
  -public void setSecurePagesAsPrivate(boolean securePagesAsPrivate) {
  -this.securePagesAsPrivate = securePagesAsPrivate;
  +public void setSecurePagesWithPragma(boolean securePagesWithPragma) {
  +this.securePagesWithPragma = securePagesWithPragma;
   }
   
   // - Public 
Methods
  @@ -440,14 +440,11 @@
   // (improper caching issue)
   //!request.isSecure() 
   !POST.equalsIgnoreCase(request.getMethod())) {
  -if (securePagesAsPrivate) {
  -  //this is the standard way to disable caching
  -  response.setHeader(Cache-Control, private);
  +if (securePagesWithPragma) {
  +response.setHeader(Cache-Control, private);
   } else {
  -  //IE won't render the page under SSL if this header is 
specified
  -  //TODO It was stipulated that these not be removed, not sure 
why
  -  response.setHeader(Pragma, No-cache);
  -  response.setHeader(Cache-Control, no-cache);
  +response.setHeader(Pragma, No-cache);
  +response.setHeader(Cache-Control, no-cache);
   }
   response.setHeader(Expires, DATE_ONE);
   }
  
  
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-19 Thread Remy Maucherat
[EMAIL PROTECTED] wrote:
//this is the standard way to disable caching
Note that I don't want to only disable proxy caching, but also any 
client caching by default (this can be disabled easily if you feel it is 
not needed - for example, put the auth configuration in 
/META-INF/context.xml) for all security constrained pages (and esp 
confidential ones), so the comment is not right.

SSL should do that, except with Mozilla, which apparently did aggressive 
caching anyway unless told otherwise. Newer Mozilla and/or Firefox may 
or may not have changed this, this was long ago.

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-19 Thread keith
keith   2005/04/19 07:06:24

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  [34083, 27122, 28662, 29336, 29975, and 30618]
  - invert so that securePagesWithPragma secures the pages with Pragma
(retaining Remy's default behavior)
  
  To enable downloading of office docs with IE under SSL, add
  
  Valve className=org.apache.catalina.authenticator.DigestAuthenticator
   securePagesWithPragma=false /
  
  to context.xml (with the appropriate authenticator class)
  
  Revision  ChangesPath
  1.30  +12 -9 
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.29
  retrieving revision 1.30
  diff -u -r1.29 -r1.30
  --- AuthenticatorBase.java19 Apr 2005 13:35:16 -  1.29
  +++ AuthenticatorBase.java19 Apr 2005 14:06:23 -  1.30
  @@ -144,10 +144,10 @@
   protected boolean disableProxyCaching = true;
   
   /**
  - * Flag to determine if we disable proxy caching with headers compatible
  + * Flag to determine if we disable proxy caching with headers 
incompatible
* with IE 
*/
  -protected boolean securePagesWithPragma = false;
  +protected boolean securePagesWithPragma = true;
   
   /**
* The lifecycle event support for this component.
  @@ -348,7 +348,7 @@
   
   /**
* Return the flag that states, if proxy caching is disabled, what 
headers
  - * we add to disable the caching.  
  + * we add to disable the caching.
*/
   public boolean getSecurePagesWithPragma() {
   return securePagesWithPragma;
  @@ -357,9 +357,9 @@
   /**
* Set the value of the flag that states what headers we add to disable
* proxy caching.
  - * @param compatible codetrue/code if we add headers which are
  - * generally compatible, codefalse/code if add headers which aren't
  - * known to be compatible.
  + * @param securePagesWithPragma codetrue/code if we add headers 
which 
  + * are incompatible with downloading office documents in IE under SSL but
  + * which fix a caching problem in Mozilla.
*/
   public void setSecurePagesWithPragma(boolean securePagesWithPragma) {
   this.securePagesWithPragma = securePagesWithPragma;
  @@ -441,10 +441,13 @@
   //!request.isSecure() 
   !POST.equalsIgnoreCase(request.getMethod())) {
   if (securePagesWithPragma) {
  -response.setHeader(Cache-Control, private);
  -} else {
  +// FIXME: These cause problems with downloading office docs
  +// from IE under SSL and may not be needed for newer Mozilla
  +// clients.
   response.setHeader(Pragma, No-cache);
   response.setHeader(Cache-Control, no-cache);
  +} else {
  +response.setHeader(Cache-Control, private);
   }
   response.setHeader(Expires, DATE_ONE);
   }
  
  
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-19 Thread Remy Maucherat
[EMAIL PROTECTED] wrote:
keith   2005/04/19 07:06:24
  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  [34083, 27122, 28662, 29336, 29975, and 30618]
  - invert so that securePagesWithPragma secures the pages with Pragma
(retaining Remy's default behavior)
  
  To enable downloading of office docs with IE under SSL, add
  
  Valve className=org.apache.catalina.authenticator.DigestAuthenticator
   securePagesWithPragma=false /
  
  to context.xml (with the appropriate authenticator class)
Thanks. If you can find precisely what the issue with Mozilla was, and 
certify the behavior is now correct in Firefox (= no stupid caching with 
SSL), then you can indeed uncomment the isSecure here:

// FIXME: Disabled for Mozilla FORM support over SSL
// (improper caching issue)
//!request.isSecure() 
Don't remove the new field, which has a different behavior which might 
be of interest to some people.

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-19 Thread Keith Wannamaker
Remy Maucherat wrote:
Thanks. If you can find precisely what the issue with Mozilla was, and 
certify the behavior is now correct in Firefox (= no stupid caching with 
SSL), then you can indeed uncomment the isSecure here:

// FIXME: Disabled for Mozilla FORM support over SSL
// (improper caching issue)
//!request.isSecure() 
My veto of this change still stands, and it would be your responsibility 
of finding a fix more compatible with IE.  If no one else besides me 
thinks IE compatibility is important, head of tree is fine and I will 
withdraw my veto.

Keith

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-19 Thread Remy Maucherat
Keith Wannamaker wrote:
My veto of this change still stands, and it would be your responsibility 
of finding a fix more compatible with IE.  If no one else besides me 
thinks IE compatibility is important, head of tree is fine and I will 
withdraw my veto.
All right, I was wrong to offer a compromise, it seems. Back to my 
previous position then: your veto is clearly invalid.

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-19 Thread Remy Maucherat
[EMAIL PROTECTED] wrote:
keith   2005/04/18 13:20:46
  Modified:catalina/src/share/org/apache/catalina/authenticator Tag:
TOMCAT_5_0 AuthenticatorBase.java
  Log:
  [34083 et al] For webapps with security constraints, we default to sending
  headers to disable caching.  This is well-intentioned but IE will not open
  office documents under SSL with the Pragma header.  Remove the Pragma
  header and change the Cache-Control to private based on comments in
  the many bugs about this and my reading of the 1.1 spec.
Since we're on the subject, the 5.0.x branch is supposed to be stable. 
Changes which might break things are not a good idea.

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-19 Thread Keith Wannamaker
If no one else weighs in on the root issue in a day or so, and you 
disagree with this change, I'll be happy to roll it back and/or backport 
5.5 head of tree in its place.

Keith
Remy Maucherat wrote:
[EMAIL PROTECTED] wrote:
keith   2005/04/18 13:20:46
  Modified:catalina/src/share/org/apache/catalina/authenticator Tag:
TOMCAT_5_0 AuthenticatorBase.java
  Log:
  [34083 et al] For webapps with security constraints, we default to 
sending
  headers to disable caching.  This is well-intentioned but IE will 
not open
  office documents under SSL with the Pragma header.  Remove the Pragma
  header and change the Cache-Control to private based on comments in
  the many bugs about this and my reading of the 1.1 spec.

Since we're on the subject, the 5.0.x branch is supposed to be stable. 
Changes which might break things are not a good idea.

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-19 Thread Remy Maucherat
Keith Wannamaker wrote:
If no one else weighs in on the root issue in a day or so, and you 
disagree with this change, I'll be happy to roll it back and/or backport 
5.5 head of tree in its place.
You can of course backport the changes from head, which add 
configurability without changing the behavior.

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-18 Thread keith
keith   2005/04/18 13:20:46

  Modified:catalina/src/share/org/apache/catalina/authenticator Tag:
TOMCAT_5_0 AuthenticatorBase.java
  Log:
  [34083 et al] For webapps with security constraints, we default to sending
  headers to disable caching.  This is well-intentioned but IE will not open
  office documents under SSL with the Pragma header.  Remove the Pragma
  header and change the Cache-Control to private based on comments in
  the many bugs about this and my reading of the 1.1 spec.
  
  Revision  ChangesPath
  No   revision
  No   revision
  1.19.2.1  +2 -3  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.19
  retrieving revision 1.19.2.1
  diff -u -r1.19 -r1.19.2.1
  --- AuthenticatorBase.java26 Apr 2004 21:54:15 -  1.19
  +++ AuthenticatorBase.java18 Apr 2005 20:20:46 -  1.19.2.1
  @@ -473,8 +473,7 @@
   !POST.equalsIgnoreCase(hsrequest.getMethod())) {
   HttpServletResponse sresponse = 
   (HttpServletResponse) response.getResponse();
  -sresponse.setHeader(Pragma, No-cache);
  -sresponse.setHeader(Cache-Control, no-cache);
  +sresponse.setHeader(Cache-Control, private);
   sresponse.setHeader(Expires, DATE_ONE);
   }
   
  
  
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-18 Thread keith
keith   2005/04/18 13:21:57

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  [34083 et al] For webapps with security constraints, we default to sending
  headers to disable caching.  This is well-intentioned but IE will not open
  office documents under SSL with the Pragma header.  Remove the Pragma
  header and change the Cache-Control to private based on comments in
  the many bugs about this and my reading of the 1.1 spec.
  
  Per Remy make this behavior optional, with a new valve attribute
  
  Revision  ChangesPath
  1.26  +35 -3 
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.25
  retrieving revision 1.26
  diff -u -r1.25 -r1.26
  --- AuthenticatorBase.java13 Sep 2004 21:07:43 -  1.25
  +++ AuthenticatorBase.java18 Apr 2005 20:21:57 -  1.26
  @@ -144,6 +144,12 @@
   protected boolean disableProxyCaching = true;
   
   /**
  + * Flag to determine if we disable proxy caching with headers compatible
  + * with IE 
  + */
  +protected boolean IECompatibleProxyCacheDisableHeaders = true;
  +
  +/**
* The lifecycle event support for this component.
*/
   protected LifecycleSupport lifecycle = new LifecycleSupport(this);
  @@ -339,6 +345,25 @@
   public void setDisableProxyCaching(boolean nocache) {
   disableProxyCaching = nocache;
   }
  +
  +/**
  + * Return the flag that states, if proxy caching is disabled, what 
headers
  + * we add to disable the caching.  
  + */
  +public boolean getIECompatibleProxyCacheDisableHeaders() {
  +return IECompatibleProxyCacheDisableHeaders;
  +}
  +
  +/**
  + * Set the value of the flag that states what headers we add to disable
  + * proxy caching.
  + * @param compatible codetrue/code if we add headers which are
  + * generally compatible, codefalse/code if add headers which aren't
  + * known to be compatible.
  + */
  +public void setIECompatibleProxyCacheDisableHeaders(boolean compatible) {
  +IECompatibleProxyCacheDisableHeaders = compatible;
  +}
   
   // - Public 
Methods
   
  @@ -415,8 +440,15 @@
   // (improper caching issue)
   //!request.isSecure() 
   !POST.equalsIgnoreCase(request.getMethod())) {
  -response.setHeader(Pragma, No-cache);
  -response.setHeader(Cache-Control, no-cache);
  +if (IECompatibleProxyCacheDisableHeaders) {
  +  //this is the standard way to disable caching
  +  response.setHeader(Cache-Control, private);
  +} else {
  +  //IE won't render the page under SSL if this header is 
specified
  +  //TODO It was stipulated that these not be removed, not sure 
why
  +  response.setHeader(Pragma, No-cache);
  +  response.setHeader(Cache-Control, no-cache);
  +}
   response.setHeader(Expires, DATE_ONE);
   }
   
  
  
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-18 Thread Remy Maucherat
[EMAIL PROTECTED] wrote:
keith   2005/04/18 13:21:57
  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  [34083 et al] For webapps with security constraints, we default to sending
  headers to disable caching.  This is well-intentioned but IE will not open
  office documents under SSL with the Pragma header.  Remove the Pragma
  header and change the Cache-Control to private based on comments in
  the many bugs about this and my reading of the 1.1 spec.
  
  Per Remy make this behavior optional, with a new valve attribute
When I say make it optional, I mean: the current behavior should 
remain the default (as it has been since day one, and I am not the one 
who actually did it), but I am ok with having the new proposed behavior 
as an option (and documenting it).

Maybe a better attribute name can be found, BTW. 
IECompatibleProxyCacheDisableHeaders is probably better than 
StupidSettingWhichWillIntroduceBrokenBehaviorIfYouSetItToFalse, but not 
by much.

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-18 Thread Keith Wannamaker
I'd like to omit pragma header by default.  What specific client 
requires it?  The community has identified a specific, widespread 
failure with the former code-- it did not work out of the box with IE 
under SSL.So, if we want to keep the pragma header the default, what 
are the reasons?

Keith
Remy Maucherat wrote:
[EMAIL PROTECTED] wrote:
keith   2005/04/18 13:21:57
  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  [34083 et al] For webapps with security constraints, we default to 
sending
  headers to disable caching.  This is well-intentioned but IE will 
not open
  office documents under SSL with the Pragma header.  Remove the Pragma
  header and change the Cache-Control to private based on comments in
  the many bugs about this and my reading of the 1.1 spec.
Per Remy make this behavior optional, with a new valve attribute

When I say make it optional, I mean: the current behavior should 
remain the default (as it has been since day one, and I am not the one 
who actually did it), but I am ok with having the new proposed behavior 
as an option (and documenting it).

Maybe a better attribute name can be found, BTW. 
IECompatibleProxyCacheDisableHeaders is probably better than 
StupidSettingWhichWillIntroduceBrokenBehaviorIfYouSetItToFalse, but not 
by much.

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-18 Thread Remy Maucherat
Keith Wannamaker wrote:
I'd like to omit pragma header by default.  What specific client 
requires it?  The community has identified a specific, widespread 
failure with the former code-- it did not work out of the box with IE 
under SSL.So, if we want to keep the pragma header the default, what 
are the reasons?
I am not willing to discuss this issue. This has been like this forever, 
the behavior was not introduced by myself, and existing flags do exist. 
Your new flag restricts security, and could cause inappropriate caching 
of pages on the client, which could cause user errors on important 
sections of the website.

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-18 Thread remm
remm2005/04/18 14:47:17

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  - Since my previous comments are being ignored, I am making the necessary 
changes.
  
  Revision  ChangesPath
  1.27  +7 -7  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.26
  retrieving revision 1.27
  diff -u -r1.26 -r1.27
  --- AuthenticatorBase.java18 Apr 2005 20:21:57 -  1.26
  +++ AuthenticatorBase.java18 Apr 2005 21:47:17 -  1.27
  @@ -147,7 +147,7 @@
* Flag to determine if we disable proxy caching with headers compatible
* with IE 
*/
  -protected boolean IECompatibleProxyCacheDisableHeaders = true;
  +protected boolean securePaggesAsPrivate = false;
   
   /**
* The lifecycle event support for this component.
  @@ -350,8 +350,8 @@
* Return the flag that states, if proxy caching is disabled, what 
headers
* we add to disable the caching.  
*/
  -public boolean getIECompatibleProxyCacheDisableHeaders() {
  -return IECompatibleProxyCacheDisableHeaders;
  +public boolean getSecurePaggesAsPrivate() {
  +return securePaggesAsPrivate;
   }
   
   /**
  @@ -361,8 +361,8 @@
* generally compatible, codefalse/code if add headers which aren't
* known to be compatible.
*/
  -public void setIECompatibleProxyCacheDisableHeaders(boolean compatible) {
  -IECompatibleProxyCacheDisableHeaders = compatible;
  +public void setSecurePaggesAsPrivate(boolean securePaggesAsPrivate) {
  +this.securePaggesAsPrivate = securePaggesAsPrivate;
   }
   
   // - Public 
Methods
  @@ -440,7 +440,7 @@
   // (improper caching issue)
   //!request.isSecure() 
   !POST.equalsIgnoreCase(request.getMethod())) {
  -if (IECompatibleProxyCacheDisableHeaders) {
  +if (securePaggesAsPrivate) {
 //this is the standard way to disable caching
 response.setHeader(Cache-Control, private);
   } else {
  
  
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-18 Thread remm
remm2005/04/18 14:48:14

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  - Typo.
  
  Revision  ChangesPath
  1.28  +7 -7  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.27
  retrieving revision 1.28
  diff -u -r1.27 -r1.28
  --- AuthenticatorBase.java18 Apr 2005 21:47:17 -  1.27
  +++ AuthenticatorBase.java18 Apr 2005 21:48:14 -  1.28
  @@ -147,7 +147,7 @@
* Flag to determine if we disable proxy caching with headers compatible
* with IE 
*/
  -protected boolean securePaggesAsPrivate = false;
  +protected boolean securePagesAsPrivate = false;
   
   /**
* The lifecycle event support for this component.
  @@ -350,8 +350,8 @@
* Return the flag that states, if proxy caching is disabled, what 
headers
* we add to disable the caching.  
*/
  -public boolean getSecurePaggesAsPrivate() {
  -return securePaggesAsPrivate;
  +public boolean getSecurePagesAsPrivate() {
  +return securePagesAsPrivate;
   }
   
   /**
  @@ -361,8 +361,8 @@
* generally compatible, codefalse/code if add headers which aren't
* known to be compatible.
*/
  -public void setSecurePaggesAsPrivate(boolean securePaggesAsPrivate) {
  -this.securePaggesAsPrivate = securePaggesAsPrivate;
  +public void setSecurePagesAsPrivate(boolean securePagesAsPrivate) {
  +this.securePagesAsPrivate = securePagesAsPrivate;
   }
   
   // - Public 
Methods
  @@ -440,7 +440,7 @@
   // (improper caching issue)
   //!request.isSecure() 
   !POST.equalsIgnoreCase(request.getMethod())) {
  -if (securePaggesAsPrivate) {
  +if (securePagesAsPrivate) {
 //this is the standard way to disable caching
 response.setHeader(Cache-Control, private);
   } else {
  
  
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-18 Thread Keith Wannamaker
Pragma has never been sent out on a secure connection until recently 
(rev 1.13)  This is brand new behavior and it causes problems with IE 
under SSL.  At the time you even said you'd be willing to roll it back. 
 I'd be happy to leave cache-control to no-cache, it is the Pragma that 
is killing us.  Are you aware of a client that depends solely on Pragma 
for cache instruction?  I would argue that being unable to serve pages 
to IE under SSL is more significant than a caching problem in a client 
that doesn't understand cache-control.

Keith
Remy Maucherat wrote:
Keith Wannamaker wrote:
I'd like to omit pragma header by default.  What specific client 
requires it?  The community has identified a specific, widespread 
failure with the former code-- it did not work out of the box with IE 
under SSL.So, if we want to keep the pragma header the default, 
what are the reasons?

I am not willing to discuss this issue. This has been like this forever, 
the behavior was not introduced by myself, and existing flags do exist. 
Your new flag restricts security, and could cause inappropriate caching 
of pages on the client, which could cause user errors on important 
sections of the website.

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-18 Thread Remy Maucherat
Keith Wannamaker wrote:
Pragma has never been sent out on a secure connection until recently 
(rev 1.13)  This is brand new behavior and it causes problems with IE 
under SSL.  At the time you even said you'd be willing to roll it back.
Coincidentally, it was sufficiently long ago that I actually forgot 
about it. I would characterize this as recently, however, as given the 
version in which it went in, it's in all the stable 5.0.x and 5.5.x builds.

 I'd be happy to leave cache-control to no-cache, it is the Pragma that 
is killing us.  Are you aware of a client that depends solely on Pragma 
for cache instruction?  I would argue that being unable to serve pages 
to IE under SSL is more significant than a caching problem in a client 
that doesn't understand cache-control.
I read:
// FIXME: Disabled for Mozilla FORM support over SSL
// (improper caching issue)
Indeed (I now remember the issue), there would be serious issues should 
this not be the default.

Now, I think you are misrepresenting the IE issue, and it's not such a 
big issue. I am perfectly fine with adding new configurability and 
documenting it properly, but defaults should lean towards the safer 
solution.

BTW, I really don't see any problem with not using the defaults, and 
actually configuring something. Is that really a big issue for you and 
the people who reported this problem ? For example, in JBoss, I use a 
different default configuration and I don't make a big issue out of it.

Rémy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2005-04-18 Thread Keith Wannamaker
I read:
// FIXME: Disabled for Mozilla FORM support over SSL
// (improper caching issue)
Indeed (I now remember the issue), there would be serious issues should 
this not be the default.
The issue here is, apparently, that Mozilla has a caching bug we are 
working around, so we have to disable caching.  However, I don't know 
that the broken Mozilla agent requires the Pragma header to do this.

Now, I think you are misrepresenting the IE issue, and it's not such a 
big issue. 
Here is a test war for you and those interested,
http://apache.org/~keith/ietest.war.  If you deploy this you will see 
that you cannot download the one file in the webapp with IE with head of 
tree.  If you comment out the pragma header in AuthenticatorBase, it 
works fine.

Despite your renaming, I want to emphasize that I am not talking about 
the cache-control header, and am fine with it being either private or 
no-cache.

I am perfectly fine with adding new configurability and 
documenting it properly, but defaults should lean towards the safer 
solution.
I disagree, defaults should be friendly to the largest client base.
BTW, I really don't see any problem with not using the defaults, and 
actually configuring something. Is that really a big issue for you and 
the people who reported this problem ? For example, in JBoss, I use a 
different default configuration and I don't make a big issue out of it.
I think Tomcat should work with IE under SSL, and yes, I think it is a 
big issue that Tomcat doesn't, out of the box.

Keith
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2004-09-13 Thread remm
remm2004/09/13 14:07:43

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  - Fix bug where going through the authenticator would create a session each time. 
This fixes all tester failures.
  
  Revision  ChangesPath
  1.25  +2 -2  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.24
  retrieving revision 1.25
  diff -u -r1.24 -r1.25
  --- AuthenticatorBase.java29 Aug 2004 16:46:09 -  1.24
  +++ AuthenticatorBase.java13 Sep 2004 21:07:43 -  1.25
  @@ -365,7 +365,7 @@
   if (cache) {
   Principal principal = request.getUserPrincipal();
   if (principal == null) {
  -Session session = request.getSessionInternal();
  +Session session = request.getSessionInternal(false);
   if (session != null) {
   principal = session.getPrincipal();
   if (principal != null) {
  
  
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java SingleSignOn.java SingleSignOnEntry.java

2004-04-26 Thread remm
remm2004/04/26 14:50:36

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java SingleSignOn.java
SingleSignOnEntry.java
  Log:
  - Allow extending SSO functionality.
  - Submitted by Brian Stansberry.
  
  Revision  ChangesPath
  1.18  +9 -17 
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.17
  retrieving revision 1.18
  diff -u -r1.17 -r1.18
  --- AuthenticatorBase.java27 Feb 2004 14:58:41 -  1.17
  +++ AuthenticatorBase.java26 Apr 2004 21:50:36 -  1.18
  @@ -760,31 +760,23 @@
   
   boolean reauthenticated = false;
   
  -SingleSignOnEntry entry = sso.lookup(ssoId);
  -if (entry != null  entry.getCanReauthenticate()) {
  -Principal reauthPrincipal = null;
   Container parent = getContainer();
   if (parent != null) {
  -Realm realm = getContainer().getRealm();
  -String username = entry.getUsername();
  -if (realm != null  username != null) {
  -reauthPrincipal =
  -realm.authenticate(username, entry.getPassword());
  +Realm realm = parent.getRealm();
  +if (realm != null) {
  +reauthenticated = sso.reauthenticate(ssoId, realm, request);
   }
   }
   
  -if (reauthPrincipal != null) {
  +if (reauthenticated) {
   associate(ssoId, getSession(request, true));
  -request.setAuthType(entry.getAuthType());
  -request.setUserPrincipal(reauthPrincipal);
   
  -reauthenticated = true;
   if (log.isDebugEnabled()) {
  +HttpServletRequest hreq = 
  +(HttpServletRequest) request.getRequest();
   log.debug( Reauthenticated cached principal ' +
  -  entry.getPrincipal().getName() +
  -  ' with auth type ' +
  -  entry.getAuthType() + ');
  -}
  +  hreq.getUserPrincipal().getName() +
  +  ' with auth type ' +  hreq.getAuthType() + ');
   }
   }
   
  
  
  
  1.13  +94 -46
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java
  
  Index: SingleSignOn.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java,v
  retrieving revision 1.12
  retrieving revision 1.13
  diff -u -r1.12 -r1.13
  --- SingleSignOn.java 27 Feb 2004 14:58:41 -  1.12
  +++ SingleSignOn.java 26 Apr 2004 21:50:36 -  1.13
  @@ -33,6 +33,7 @@
   import org.apache.catalina.LifecycleException;
   import org.apache.catalina.LifecycleListener;
   import org.apache.catalina.Logger;
  +import org.apache.catalina.Realm;
   import org.apache.catalina.Request;
   import org.apache.catalina.Response;
   import org.apache.catalina.Session;
  @@ -559,6 +560,55 @@
   
   
   /**
  + * Attempts reauthentication to the given codeRealm/code using
  + * the credentials associated with the single sign-on session
  + * identified by argument codessoId/code.
  + * p
  + * If reauthentication is successful, the codePrincipal/code and
  + * authorization type associated with the SSO session will be bound
  + * to the given codeHttpRequest/code object via calls to 
  + * [EMAIL PROTECTED] HttpRequest#setAuthType HttpRequest.setAuthType()} and 
  + * [EMAIL PROTECTED] HttpRequest#setUserPrincipal 
HttpRequest.setUserPrincipal()}
  + * /p
  + *
  + * @param ssoId identifier of SingleSignOn session with which the
  + *  caller is associated
  + * @param realm Realm implementation against which the caller is to
  + *  be authenticated
  + * @param request   the request that needs to be authenticated
  + * 
  + * @return  codetrue/code if reauthentication was successful,
  + *  codefalse/code otherwise.
  + */
  +protected boolean reauthenticate(String ssoId, Realm realm,
  +  HttpRequest request) {
  +
  +if (ssoId == null || realm == null)
  +return false;
  +
  +boolean reauthenticated = false;
  +
  +SingleSignOnEntry entry = lookup(ssoId);
  +if (entry != null  entry.getCanReauthenticate()) {
  + 

cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2004-04-26 Thread remm
remm2004/04/26 14:54:15

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  - Fix indentation.
  
  Revision  ChangesPath
  1.19  +10 -9 
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.18
  retrieving revision 1.19
  diff -u -r1.18 -r1.19
  --- AuthenticatorBase.java26 Apr 2004 21:50:36 -  1.18
  +++ AuthenticatorBase.java26 Apr 2004 21:54:15 -  1.19
  @@ -753,28 +753,29 @@
*  caller is associated
* @param request   the request that needs to be authenticated
*/
  -protected boolean reauthenticateFromSSO(String ssoId, HttpRequest request) {
  +protected boolean reauthenticateFromSSO
  +(String ssoId, HttpRequest request) {
   
   if (sso == null || ssoId == null)
   return false;
   
   boolean reauthenticated = false;
   
  -Container parent = getContainer();
  -if (parent != null) {
  +Container parent = getContainer();
  +if (parent != null) {
   Realm realm = parent.getRealm();
   if (realm != null) {
   reauthenticated = sso.reauthenticate(ssoId, realm, request);
  -}
   }
  +}
   
   if (reauthenticated) {
  -associate(ssoId, getSession(request, true));
  +associate(ssoId, getSession(request, true));
   
  -if (log.isDebugEnabled()) {
  +if (log.isDebugEnabled()) {
   HttpServletRequest hreq = 
  -(HttpServletRequest) request.getRequest();
  -log.debug( Reauthenticated cached principal ' +
  +(HttpServletRequest) request.getRequest();
  +log.debug( Reauthenticated cached principal ' +
 hreq.getUserPrincipal().getName() +
 ' with auth type ' +  hreq.getAuthType() + ');
   }
  
  
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java BasicAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java DigestAuthenticator.java

2004-01-26 Thread remm
remm2004/01/26 11:46:44

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java BasicAuthenticator.java
FormAuthenticator.java NonLoginAuthenticator.java
DigestAuthenticator.java
  Log:
  - Remove compilation warnings.
  
  Revision  ChangesPath
  1.16  +5 -5  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -u -r1.15 -r1.16
  --- AuthenticatorBase.java11 Dec 2003 05:50:39 -  1.15
  +++ AuthenticatorBase.java26 Jan 2004 19:46:44 -  1.16
  @@ -380,7 +380,7 @@
*/
   public String getInfo() {
   
  -return (this.info);
  +return (info);
   
   }
   
  
  
  
  1.4   +7 -13 
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
  
  Index: BasicAuthenticator.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- BasicAuthenticator.java   24 Nov 2003 16:46:56 -  1.3
  +++ BasicAuthenticator.java   26 Jan 2004 19:46:44 -  1.4
  @@ -97,12 +97,6 @@
   
   
   /**
  - * The Base64 helper object for this class.
  - */
  -protected static final Base64 base64Helper = new Base64();
  -
  -
  -/**
* Descriptive information about this implementation.
*/
   protected static final String info =
  @@ -117,7 +111,7 @@
*/
   public String getInfo() {
   
  -return (this.info);
  +return (info);
   
   }
   
  @@ -220,7 +214,7 @@
   
   // Decode and parse the authorization credentials
   String unencoded =
  -  new String(base64Helper.decode(authorization.getBytes()));
  +new String(Base64.decode(authorization.getBytes()));
   int colon = unencoded.indexOf(':');
   if (colon  0)
   return (null);
  @@ -247,7 +241,7 @@
   
   // Decode and parse the authorization credentials
   String unencoded =
  -  new String(base64Helper.decode(authorization.getBytes()));
  +  new String(Base64.decode(authorization.getBytes()));
   int colon = unencoded.indexOf(':');
   if (colon  0)
   return (null);
  
  
  
  1.6   +5 -5  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/FormAuthenticator.java
  
  Index: FormAuthenticator.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/FormAuthenticator.java,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- FormAuthenticator.java24 Nov 2003 16:46:56 -  1.5
  +++ FormAuthenticator.java26 Jan 2004 19:46:44 -  1.6
  @@ -122,7 +122,7 @@
*/
   public String getInfo() {
   
  -return (this.info);
  +return (info);
   
   }
   
  
  
  
  1.4   +5 -5  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/NonLoginAuthenticator.java
  
  Index: NonLoginAuthenticator.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/NonLoginAuthenticator.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- NonLoginAuthenticator.java24 Nov 2003 16:46:56 -  1.3
  +++ NonLoginAuthenticator.java26 Jan 2004 19:46:44 -  1.4
  @@ -103,7 +103,7 @@
*/
   public String getInfo() {
   
  -return (this.info);
  +return (info);
   
   }
   
  
  
  
  1.4   +5 -5  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
  
  Index: DigestAuthenticator.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- DigestAuthenticator.java  24 Nov 2003 16:46:56 -  1.3
  +++ DigestAuthenticator.java  26 Jan 2004 19:46:44 -  1.4
  @@ -194,7 +194,7 @@
*/
   public String getInfo() {
   
  -return (this.info);
  +return (info);
   
   

cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2003-10-23 Thread remm
remm2003/10/23 10:33:10

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  - Add the caching flags even over a secure connection, due to Mozilla bugs.
  - I'm willing to revert that. I think Bill originally added the !isSecure.
  
  Revision  ChangesPath
  1.13  +7 -5  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.12
  retrieving revision 1.13
  diff -u -r1.12 -r1.13
  --- AuthenticatorBase.java21 Oct 2003 02:58:42 -  1.12
  +++ AuthenticatorBase.java23 Oct 2003 17:33:10 -  1.13
  @@ -514,7 +514,9 @@
   // or browsers as caching can provide a security hole
   HttpServletRequest hsrequest = (HttpServletRequest)hrequest.getRequest();
   if (disableProxyCaching  
  -!hsrequest.isSecure() 
  +// FIXME: Disabled for Mozilla FORM support over SSL 
  +// (improper caching issue)
  +//!hsrequest.isSecure() 
   !POST.equalsIgnoreCase(hsrequest.getMethod())) {
   HttpServletResponse sresponse = 
   (HttpServletResponse) response.getResponse();
  
  
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2003-10-20 Thread luehe
luehe   2003/10/20 19:58:42

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  Fixed indentation/removed tabs
  
  Revision  ChangesPath
  1.12  +66 -47
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.11
  retrieving revision 1.12
  diff -u -r1.11 -r1.12
  --- AuthenticatorBase.java2 Sep 2003 21:22:04 -   1.11
  +++ AuthenticatorBase.java21 Oct 2003 02:58:42 -  1.12
  @@ -499,8 +499,8 @@
   
   Realm realm = this.context.getRealm();
   // Is this request URI subject to a security constraint?
  -SecurityConstraint [] constraints = realm.
  -   findSecurityConstraints(hrequest, this.context);
  +SecurityConstraint [] constraints
  += realm.findSecurityConstraints(hrequest, this.context);
  
   if ((constraints == null) /* 
   (!Constants.FORM_METHOD.equals(config.getAuthMethod())) */ ) {
  @@ -522,54 +522,73 @@
   sresponse.setHeader(Cache-Control, no-cache);
   sresponse.setHeader(Expires, DATE_ONE);
   }
  - int i;
  - for(i=0; i  constraints.length; i++) {
  - if (log.isDebugEnabled())
  - log.debug( Subject to constraint  + constraints[i]);
  - // Enforce any user data constraint for this security constraint
  - if (log.isDebugEnabled())
  - log.debug( Calling hasUserDataPermission());
  -
  - if (!realm.hasUserDataPermission(hrequest, hresponse, constraints[i])) {
  - if (log.isDebugEnabled())
  - log.debug( Failed hasUserDataPermission() test);
  - // ASSERT: Authenticator already set the appropriate
  - // HTTP status code, so we do not have to do anything special
  - return;
  - }
  - }
  - for(i=0; i  constraints.length; i++) {
  - // Authenticate based upon the specified login configuration
  - if (constraints[i].getAuthConstraint()) {
  - if (log.isDebugEnabled())
  - log.debug( Calling authenticate());
  - if (!authenticate(hrequest, hresponse, config)) {
  - if (log.isDebugEnabled())
  - log.debug( Failed authenticate() test);
  - // ASSERT: Authenticator already set the appropriate
  - // HTTP status code, so we do not have to do anything special
  - return;
  +
  +int i;
  +for(i=0; i  constraints.length; i++) {
  +if (log.isDebugEnabled()) {
  +log.debug( Subject to constraint  + constraints[i]);
  +}
  +// Enforce any user data constraint for this security constraint
  +if (log.isDebugEnabled()) {
  +log.debug( Calling hasUserDataPermission());
  +}
  +if (!realm.hasUserDataPermission(hrequest, hresponse,
  + constraints[i])) {
  +if (log.isDebugEnabled()) {
  +log.debug( Failed hasUserDataPermission() test);
  +}
  +/*
  + * ASSERT: Authenticator already set the appropriate
  + * HTTP status code, so we do not have to do anything special
  + */
  +return;
   }
   }
   
  - // Perform access control based on the specified role(s)
  - if (constraints[i].getAuthConstraint()) {
  - if (log.isDebugEnabled())
  - log.debug( Calling accessControl());
  -
  - if (!realm.hasResourcePermission(hrequest, hresponse, constraints[i], 
this.context)) {
  - if (log.isDebugEnabled())
  - log.debug( Failed accessControl() test);
  - // ASSERT: AccessControl method has already set the appropriate
  - // HTTP status code, so we do not have to do anything special
  - return;
  - }
  - }
  +for(i=0; i  constraints.length; i++) {
  +// Authenticate based upon the specified login configuration
  +if (constraints[i].getAuthConstraint()) {
  +if (log.isDebugEnabled()) {
  +log.debug( Calling authenticate());
  +}
  +if (!authenticate(hrequest, hresponse, config)) {
  +if (log.isDebugEnabled()) {
  +log.debug( Failed authenticate() test);
  +}
  +   

cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2003-07-17 Thread billbarker
billbarker2003/07/17 21:36:50

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  As discussed on tomcat-dev, don't disable caching of POST requests.
  
  Revision  ChangesPath
  1.7   +7 -5  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.6
  retrieving revision 1.7
  diff -u -r1.6 -r1.7
  --- AuthenticatorBase.java12 Mar 2003 05:59:30 -  1.6
  +++ AuthenticatorBase.java18 Jul 2003 04:36:50 -  1.7
  @@ -504,8 +504,10 @@
   
   // Make sure that constrained resources are not cached by web proxies
   // or browsers as caching can provide a security hole
  + HttpServletRequest hsrequest = (HttpServletRequest)hrequest.getRequest();
   if (disableProxyCaching  
  -!(((HttpServletRequest) hrequest.getRequest()).isSecure())) {
  +!hsrequest.isSecure() 
  + !POST.equalsIgnoreCase(hsrequest.getMethod())) {
   HttpServletResponse sresponse = 
   (HttpServletResponse) response.getResponse();
   sresponse.setHeader(Pragma, No-cache);
  
  
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2003-07-17 Thread billbarker
billbarker2003/07/17 21:38:30

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  Remove tabs.
  
  Revision  ChangesPath
  1.8   +6 -6  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -r1.7 -r1.8
  --- AuthenticatorBase.java18 Jul 2003 04:36:50 -  1.7
  +++ AuthenticatorBase.java18 Jul 2003 04:38:30 -  1.8
  @@ -504,10 +504,10 @@
   
   // Make sure that constrained resources are not cached by web proxies
   // or browsers as caching can provide a security hole
  - HttpServletRequest hsrequest = (HttpServletRequest)hrequest.getRequest();
  +HttpServletRequest hsrequest = (HttpServletRequest)hrequest.getRequest();
   if (disableProxyCaching  
   !hsrequest.isSecure() 
  - !POST.equalsIgnoreCase(hsrequest.getMethod())) {
  +!POST.equalsIgnoreCase(hsrequest.getMethod())) {
   HttpServletResponse sresponse = 
   (HttpServletResponse) response.getResponse();
   sresponse.setHeader(Pragma, No-cache);
  
  
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2002-11-15 Thread billbarker
billbarker2002/11/15 21:05:42

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  Porting attribute name change.
  
  Revision  ChangesPath
  1.5   +10 -10
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- AuthenticatorBase.java13 Nov 2002 06:10:38 -  1.4
  +++ AuthenticatorBase.java16 Nov 2002 05:05:42 -  1.5
  @@ -198,7 +198,7 @@
* Flag to determine if we disable proxy caching, or leave the issue
* up to the webapp developer.
*/
  -protected boolean noProxyCaching = true;
  +protected boolean disableProxyCaching = true;
   
   /**
* The lifecycle event support for this component.
  @@ -397,8 +397,8 @@
* Return the flag that states if we add headers to disable caching by
* proxies.
*/
  -public boolean getNoProxyCaching() {
  -return noProxyCaching;
  +public boolean getDisableProxyCaching() {
  +return disableProxyCaching;
   }
   
   /**
  @@ -407,8 +407,8 @@
* @param nocache codetrue/code if we add headers to disable proxy 
*  caching, codefalse/code if we leave the headers alone.
*/
  -public void setNoProxyCaching(boolean nocache) {
  -noProxyCaching = nocache;
  +public void setDisableProxyCaching(boolean nocache) {
  +disableProxyCaching = nocache;
   }
   
   // - Public Methods
  @@ -501,7 +501,7 @@
   
   // Make sure that constrained resources are not cached by web proxies
   // or browsers as caching can provide a security hole
  -if (noProxyCaching  
  +if (disableProxyCaching  
   !(((HttpServletRequest) hrequest.getRequest()).isSecure())) {
   HttpServletResponse sresponse = 
   (HttpServletResponse) response.getResponse();
  
  
  

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]




cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator AuthenticatorBase.java

2002-11-12 Thread billbarker
billbarker2002/11/12 22:10:38

  Modified:catalina/src/share/org/apache/catalina/authenticator
AuthenticatorBase.java
  Log:
  Add a flag to disable adding headers to prevent proxies from caching the content of 
protected pages.
  
  I strongly want this in 4.1, but committing here first since the topic is a bit 
controversial.  The out-of-the-box behavior is the same as before.  This just adds a 
much-asked-for configuration setting for webmasters that don't want this behavior.
  
  Revision  ChangesPath
  1.4   +28 -5 
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
  
  Index: AuthenticatorBase.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- AuthenticatorBase.java9 Aug 2002 01:12:39 -   1.3
  +++ AuthenticatorBase.java13 Nov 2002 06:10:38 -  1.4
   -194,6 +194,11 
   protected static final String info =
   org.apache.catalina.authenticator.AuthenticatorBase/1.0;
   
  +/**
  + * Flag to determine if we disable proxy caching, or leave the issue
  + * up to the webapp developer.
  + */
  +protected boolean noProxyCaching = true;
   
   /**
* The lifecycle event support for this component.
   -388,6 +393,23 
   
   }
   
  +/**
  + * Return the flag that states if we add headers to disable caching by
  + * proxies.
  + */
  +public boolean getNoProxyCaching() {
  +return noProxyCaching;
  +}
  +
  +/**
  + * Set the value of the flag that states if we add headers to disable
  + * caching by proxies.
  + * param nocache codetrue/code if we add headers to disable proxy 
  + *  caching, codefalse/code if we leave the headers alone.
  + */
  +public void setNoProxyCaching(boolean nocache) {
  +noProxyCaching = nocache;
  +}
   
   // - Public Methods
   
   -479,7 +501,8 
   
   // Make sure that constrained resources are not cached by web proxies
   // or browsers as caching can provide a security hole
  -if (!(((HttpServletRequest) hrequest.getRequest()).isSecure())) {
  +if (noProxyCaching  
  +!(((HttpServletRequest) hrequest.getRequest()).isSecure())) {
   HttpServletResponse sresponse = 
   (HttpServletResponse) response.getResponse();
   sresponse.setHeader(Pragma, No-cache);
  
  
  

--
To unsubscribe, e-mail:   mailto:tomcat-dev-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org