Re: auth bug fix for 4.0.6

Thu, 07 Nov 2002 23:43:33 -0800 

Bill Barker wrote:
As a non-4.x expert, your patch looks ok. I would guess that it would still
have problems with a request to /foo/protected where the security-constraint
is only for /foo/protected/*.
I don't agree, the patch is bad for 4.1.x and 5.0 (at least, you must use the decoded URI there). Tomcat 4.0.x is probably ok.

I also don't agree with Keith's interpretation depending on what the constraint is. Can you give examples ?

Remy


>It turns out TC 4.0.6 has the same auth bug as 3.3--
>it challenges prior to redirects. The immediate problem
>this causes is that some browsers will cache and send
>credentials for the entire domain after being challenged
>for a top level directory without a trailing slash.
>
>So 4.0.6 exhibits this wrong behavior:
> GET /foo -> 401
> GET /foo with auth -> 301 to /foo/
> GET /foo/ with auth -> 200
> GET /bar with auth .. (browser will send auth to other realms!)
>
>With the following patch it will exhibit this correct behavior:
> GET /foo -> 301 to /foo/
> GET /foo/ -> 401
> GET /foo/ with auth -> 200
> GET /bar WITHOUT auth
>
>
>I'll be glad to ci it, but those more in the know may
>have a better location for the fix in mind.
>
>Keith
>
>
>Index:

catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java

>===================================================================
>RCS file:

/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenti
cator/AuthenticatorBase.java,v

>retrieving revision 1.23.2.5
>diff -u -r1.23.2.5 AuthenticatorBase.java
>---

catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java

>27 Feb 2002 17:42:58 -0000 1.23.2.5
>+++

catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java

>8 Nov 2002 05:25:06 -0000
>@@ -422,8 +422,18 @@
> context.invokeNext(request, response);
> return;
> }
> HttpRequest hrequest = (HttpRequest) request;
> HttpResponse hresponse = (HttpResponse) response;
>+
>+ // Do not authenticate prior to redirects
>+ String uri = ((HttpServletRequest)

request.getRequest()).getRequestURI();

>+ if (uri.length() > 0 && ! uri.endsWith("/") &&
>+ uri.equals(request.getContext().getName())) {
>+ context.invokeNext(request, response);
>+ return;
>+ }
>+
> if (debug >= 1)
> log("Security checking request " +
> ((HttpServletRequest) request.getRequest()).getMethod() +

" " +

>
>--
>To unsubscribe, e-mail:



>For additional commands, e-mail:





--
To unsubscribe, e-mail:
For additional commands, e-mail:




--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>
























					Reply via email to