----- Original Message ----- From: "Costin Manolache" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 11, 2003 8:52 PM Subject: Re: 4.1 authentication bug / bug 14616
> I think it is reasonable to fix it. > > This can be serious - if someone relies on application isolation ( like > a hosting environment ), the consequences can be really bad, with > one webapp guessing the credentials of another one. > The fix seems reasonably simple and clean. > Except that it isn't really a fix. Like Remy, I'd like to see a more general fix (e.g. using the new 5.0 Mapper). However, I won't -1 if Keith wants to commit his patch. It does fix the worst-case condition. > Costin > > Keith Wannamaker wrote: > > > Greetings, > > > > I brought this up in November. Remy and I have a disagreement > > on how important fixing this bug is. I want to see if there is > > a quorum of other committers who understand the problem and think > > it should be fixed prior to the next stable build release of 4.1. > > > > The immediate problem is that current Tomcat behavior causes > > browsers to submit auth credentials to webapps other than the > > webapp who originally sent the 401 challenge. > > > > Most web servers, like Apache, are careful to redirect for > > trailing slashes before challenging for authentication. Tomcat > > does this backward. The result is the client will usually cache > > the need for auth for the entire domain and not just a single > > webapp. > > > > Here is a repeat of the scenario I mentioned in November > > <http://marc.theaimsgroup.com/?l=tomcat-dev&m=103673355109222&w=2> > > > > <Context path="/foo" docBase="foo" /> > > <Context path="/bar" docBase="bar" /> > > > > foo and bar web.xml protected with > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>name </web-resource-name> > > <url-pattern>/*</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>admin</role-name> > > </auth-constraint> > > </security-constraint> > > > > Current behavior: > > Request Response > > GET /foo 401 > > (at this point browsers will send credentials to any url in this domain) > > GET /foo with auth 301 redirect to /foo/ > > GET /foo/ 200 > > GET /bar with auth > > ^^^^^^^^^ > > > > Correct behavior: > > GET /foo 301 redirect to /foo/ > > GET /foo/ 401 > > GET /foo/ with auth 200 > > GET /bar without auth > > ^^^^^^^^^^^^ > > > > My proposed patch is attached to bug 14616 > > <http://issues.apache.org/bugzilla/show_bug.cgi?id=14616> > > While this does not cover the case of subdirectories within > > a context, it does fix the most egregious case for context > > roots. > > > > Please comment if you are not comfortable with credentials being > > inadvertently shared between all webapps on a given domain. > > > > Keith > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
