Hey Bill, thanks for the input. I am all ears if you can think of a better way to fix this in 4.1. Rather than forward-porting this fix to 5.0, I will look at better ways of doing it there since you indicate they exist.
I think this is the way to go for 4.1 since it will fix both the most and the worst cases, namely inter-webapp credential sharing. Keith | -----Original Message----- | From: Bill Barker [mailto:[EMAIL PROTECTED] | Sent: Wednesday, March 12, 2003 1:28 AM | To: Tomcat Developers List | Subject: Re: 4.1 authentication bug / bug 14616 | | | | ----- Original Message ----- | From: "Costin Manolache" <[EMAIL PROTECTED]> | To: <[EMAIL PROTECTED]> | Sent: Tuesday, March 11, 2003 8:52 PM | Subject: Re: 4.1 authentication bug / bug 14616 | | | > I think it is reasonable to fix it. | > | > This can be serious - if someone relies on application isolation ( like | > a hosting environment ), the consequences can be really bad, with | > one webapp guessing the credentials of another one. | > The fix seems reasonably simple and clean. | > | | Except that it isn't really a fix. Like Remy, I'd like to see a more | general fix (e.g. using the new 5.0 Mapper). However, I won't -1 if Keith | wants to commit his patch. It does fix the worst-case condition. | --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
