It turns out TC 4.0.6 has the same auth bug as 3.3--
it challenges prior to redirects. The immediate problem
this causes is that some browsers will cache and send
credentials for the entire domain after being challenged
for a top level directory without a trailing slash.
So 4.0.6 exhibits this wrong behavior:
GET /foo -> 401
GET /foo with auth -> 301 to /foo/
GET /foo/ with auth -> 200
GET /bar with auth .. (browser will send auth to other realms!)
With the following patch it will exhibit this correct behavior:
GET /foo -> 301 to /foo/
GET /foo/ -> 401
GET /foo/ with auth -> 200
GET /bar WITHOUT auth
I'll be glad to ci it, but those more in the know may
have a better location for the fix in mind.
Keith
Index: catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
retrieving revision 1.23.2.5
diff -u -r1.23.2.5 AuthenticatorBase.java
--- catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
27 Feb 2002 17:42:58 -0000 1.23.2.5
+++ catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
8 Nov 2002 05:25:06 -0000
@@ -422,8 +422,18 @@
context.invokeNext(request, response);
return;
}
HttpRequest hrequest = (HttpRequest) request;
HttpResponse hresponse = (HttpResponse) response;
+
+ // Do not authenticate prior to redirects
+ String uri = ((HttpServletRequest) request.getRequest()).getRequestURI();
+ if (uri.length() > 0 && ! uri.endsWith("/") &&
+ uri.equals(request.getContext().getName())) {
+ context.invokeNext(request, response);
+ return;
+ }
+
if (debug >= 1)
log("Security checking request " +
((HttpServletRequest) request.getRequest()).getMethod() + " " +
--
To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>
