Hi Tony, This has been on the to-do list for a while. I'll try to take a look at this is the near future. My day job has me swamped at the moment. Thanks.
Cheers, Larry > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 02, 2002 4:06 PM > To: [EMAIL PROTECTED] > Subject: propsed > org.apache.tomcat.modules.aaa.AccessInterceptor fix for > security-constraint > > > Hi, > > I found that tomcat-3.3.1 will end up in an endless redirect > loop if you > use FORM auth-method in your login-config and happened to place your > form-login-page > in a path that is protected by a web-resource-name in your security > constraint. > > based on my assessment, the following patch fixes the bug. > part of the fix below was adapted from tomcat 4.0 sources > > comments? opinions? > > -Tony Chao > > > > C:\Documents and Settings\hchao\Desktop>diff AccessInterceptor.java > AccessInterc > eptor.java.orig > 273,301d272 > < // Is this a request for the login page itself? > Test here to > avoid > < // displaying it twice (from the user's perspective) -- once > because > < // of the "save and redirect" and once because of > the "restore > and > < // redirect" performed below. > < if (reqURI.equals(ctx.getFormLoginPage())) { > < if (debug >= 1) > < log("Requesting login page normally"); > < return 0; // Display the login page in the > usual manner > < } > < > < // Is this a request for the error page itself? > Test here to > avoid > < // an endless loop (back to the login page) if the > error page is > < // within the protected area of our security constraint > < if (reqURI.equals(ctx.getFormErrorPage())) { > < if (debug >= 1) > < log("Requesting error page normally"); > < return 0; // Display the error page in the > usual manner > < } > < > < int lastS=ctx.getFormLoginPage().lastIndexOf( "/" ); > < String security_check_url = > ctx.getFormLoginPage().substring( 0, > lastS) > < + "/j_security_check"; > < if (reqURI.equals(security_check_url)) { > < if (debug >= 1) > < log("Requesting security check page normally"); > < return 0; // Display the security check in > the usual > manner > < } > < > < > > > > -- > To unsubscribe, e-mail: > <mailto:tomcat-dev-> [EMAIL PROTECTED]> > For > additional commands, > e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
