Greetings, I brought this up in November. Remy and I have a disagreement on how important fixing this bug is. I want to see if there is a quorum of other committers who understand the problem and think it should be fixed prior to the next stable build release of 4.1.
The immediate problem is that current Tomcat behavior causes browsers to submit auth credentials to webapps other than the webapp who originally sent the 401 challenge. Most web servers, like Apache, are careful to redirect for trailing slashes before challenging for authentication. Tomcat does this backward. The result is the client will usually cache the need for auth for the entire domain and not just a single webapp. Here is a repeat of the scenario I mentioned in November <http://marc.theaimsgroup.com/?l=tomcat-dev&m=103673355109222&w=2> <Context path="/foo" docBase="foo" /> <Context path="/bar" docBase="bar" /> foo and bar web.xml protected with <security-constraint> <web-resource-collection> <web-resource-name>name </web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> Current behavior: Request Response GET /foo 401 (at this point browsers will send credentials to any url in this domain) GET /foo with auth 301 redirect to /foo/ GET /foo/ 200 GET /bar with auth ^^^^^^^^^ Correct behavior: GET /foo 301 redirect to /foo/ GET /foo/ 401 GET /foo/ with auth 200 GET /bar without auth ^^^^^^^^^^^^ My proposed patch is attached to bug 14616 <http://issues.apache.org/bugzilla/show_bug.cgi?id=14616> While this does not cover the case of subdirectories within a context, it does fix the most egregious case for context roots. Please comment if you are not comfortable with credentials being inadvertently shared between all webapps on a given domain. Keith --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
