It turns out TC 4.0.6 has the same auth bug as 3.3--
it challenges prior to redirects.  The immediate problem
this causes is that some browsers will cache and send 
credentials for the entire domain after being challenged
for a top level directory without a trailing slash.

So 4.0.6 exhibits this wrong behavior:
 GET /foo                       ->  401
 GET /foo with auth             ->  301 to /foo/
 GET /foo/ with auth            ->  200    
 GET /bar with auth  .. (browser will send auth to other realms!)

With the following patch it will exhibit this correct behavior:
 GET /foo                       ->  301 to /foo/
 GET /foo/                      ->  401
 GET /foo/ with auth            ->  200
 GET /bar  WITHOUT auth


I'll be glad to ci it, but those more in the know may
have a better location for the fix in mind.

Keith


Index: catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
===================================================================
RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,v
retrieving revision 1.23.2.5
diff -u -r1.23.2.5 AuthenticatorBase.java
--- catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
27 Feb 2002 17:42:58 -0000      1.23.2.5
+++ catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
8 Nov 2002 05:25:06 -0000
@@ -422,8 +422,18 @@
             context.invokeNext(request, response);
             return;
         }
         HttpRequest hrequest = (HttpRequest) request;
         HttpResponse hresponse = (HttpResponse) response;
+
+        // Do not authenticate prior to redirects
+        String uri = ((HttpServletRequest) request.getRequest()).getRequestURI();
+        if (uri.length() > 0 && ! uri.endsWith("/") &&
+            uri.equals(request.getContext().getName())) {
+            context.invokeNext(request, response);
+            return;
+        }
+
         if (debug >= 1)
             log("Security checking request " +
                 ((HttpServletRequest) request.getRequest()).getMethod() + " " +


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>

Reply via email to