Bernhard Wraase wrote:
Hi,
I found a bug in tomcat 5. I can reproduce it with tomcat 5.016, 5.018 and 5.019. Other versions of tomcat 5 I didn't test.
Here is my testcase:
create a folder under <tomcat5>/webapps (ie. sec-test) put a zip-file and/or a pdf-file in it (ie. a.pdf, b.zip) configure https with certificate and port in server.xml configure the redirect from http to https in server.xml configure the webapp start tomcat 5
start IE 5.5 or 6.0 try https://<servername>/sec-test/a.pdf try https://<servername>/sec-test/b.zip
both works correctly
Now the buggy behavior:
add a web.xml with following part: <security-constraint> <web-resource-collection> <web-resource-name>The Entire Web App</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Now it is not anymore possible to open or store neither the pdf-file nor the zip-file with same url from above.
"Internet Explorer cannot download a.pdf from localhost.
Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannnot be found. Please try again later."
"Internet Explorer cannot download b.zip from localhost.
Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannnot be found. Please try again later."
This happens only with IE 5.5 and 6.0, not with mozilla 1.6 or Opera 7.23(tested).
The same webapp works works correctly in tomcat 4.02, 4.04, 4.1.30(all tested).
I tested on solaris(8), linux(SuSe 8.1) and W2000, the behavior is the same, means the operating system does not matter.
Could this please anybody confirm?
If somebody has a smart workarround or bugfix for tomcat 5 I appreciate it very much.
I try to understand the BaseAuthenticator(catalina.jar) since I thought there would be the bug but I must confess that I failed:-(
smime.p7s
Description: S/MIME Cryptographic Signature
