It turns out TC 4.0.6 has the same auth bug as 3.3-- it challenges prior to redirects. The immediate problem this causes is that some browsers will cache and send credentials for the entire domain after being challenged for a top level directory without a trailing slash.
So 4.0.6 exhibits this wrong behavior: GET /foo -> 401 GET /foo with auth -> 301 to /foo/ GET /foo/ with auth -> 200 GET /bar with auth .. (browser will send auth to other realms!) With the following patch it will exhibit this correct behavior: GET /foo -> 301 to /foo/ GET /foo/ -> 401 GET /foo/ with auth -> 200 GET /bar WITHOUT auth I'll be glad to ci it, but those more in the know may have a better location for the fix in mind. Keith Index: catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v retrieving revision 1.23.2.5 diff -u -r1.23.2.5 AuthenticatorBase.java --- catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java 27 Feb 2002 17:42:58 -0000 1.23.2.5 +++ catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java 8 Nov 2002 05:25:06 -0000 @@ -422,8 +422,18 @@ context.invokeNext(request, response); return; } HttpRequest hrequest = (HttpRequest) request; HttpResponse hresponse = (HttpResponse) response; + + // Do not authenticate prior to redirects + String uri = ((HttpServletRequest) request.getRequest()).getRequestURI(); + if (uri.length() > 0 && ! uri.endsWith("/") && + uri.equals(request.getContext().getName())) { + context.invokeNext(request, response); + return; + } + if (debug >= 1) log("Security checking request " + ((HttpServletRequest) request.getRequest()).getMethod() + " " + -- To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>