I think it is reasonable to fix it. This can be serious - if someone relies on application isolation ( like a hosting environment ), the consequences can be really bad, with one webapp guessing the credentials of another one. The fix seems reasonably simple and clean.
Costin Keith Wannamaker wrote: > Greetings, > > I brought this up in November. Remy and I have a disagreement > on how important fixing this bug is. I want to see if there is > a quorum of other committers who understand the problem and think > it should be fixed prior to the next stable build release of 4.1. > > The immediate problem is that current Tomcat behavior causes > browsers to submit auth credentials to webapps other than the > webapp who originally sent the 401 challenge. > > Most web servers, like Apache, are careful to redirect for > trailing slashes before challenging for authentication. Tomcat > does this backward. The result is the client will usually cache > the need for auth for the entire domain and not just a single > webapp. > > Here is a repeat of the scenario I mentioned in November > <http://marc.theaimsgroup.com/?l=tomcat-dev&m=103673355109222&w=2> > > <Context path="/foo" docBase="foo" /> > <Context path="/bar" docBase="bar" /> > > foo and bar web.xml protected with > <security-constraint> > <web-resource-collection> > <web-resource-name>name </web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>admin</role-name> > </auth-constraint> > </security-constraint> > > Current behavior: > Request Response > GET /foo 401 > (at this point browsers will send credentials to any url in this domain) > GET /foo with auth 301 redirect to /foo/ > GET /foo/ 200 > GET /bar with auth > ^^^^^^^^^ > > Correct behavior: > GET /foo 301 redirect to /foo/ > GET /foo/ 401 > GET /foo/ with auth 200 > GET /bar without auth > ^^^^^^^^^^^^ > > My proposed patch is attached to bug 14616 > <http://issues.apache.org/bugzilla/show_bug.cgi?id=14616> > While this does not cover the case of subdirectories within > a context, it does fix the most egregious case for context > roots. > > Please comment if you are not comfortable with credentials being > inadvertently shared between all webapps on a given domain. > > Keith --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
