You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2012/08/07 23:30:50 UTC

svn commit: r1370540 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/authenticator/FormAuthenticator.java webapps/docs/changelog.xml

Author: markt
Date: Tue Aug  7 21:30:49 2012
New Revision: 1370540

URL: http://svn.apache.org/viewvc?rev=1370540&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53584
Ignore path parameters when comparing URIs for FORM authentication. This prevents users being prompted twice for passwords when logging in when session IDs are being encoded as path parameters.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1370537

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1370540&r1=1370539&r2=1370540&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Tue Aug  7 21:30:49 2012
@@ -498,7 +498,7 @@ public class FormAuthenticator
     }
 
       // Does the request URI match?
-      String requestURI = request.getRequestURI();
+      String requestURI = request.getDecodedRequestURI();
       if (requestURI == null) {
         return (false);
     }
@@ -658,7 +658,7 @@ public class FormAuthenticator
 
         saved.setMethod(request.getMethod());
         saved.setQueryString(request.getQueryString());
-        saved.setRequestURI(request.getRequestURI());
+        saved.setRequestURI(request.getDecodedRequestURI());
 
         // Stash the SavedRequest in our session for later use
         session.setNote(Constants.FORM_REQUEST_NOTE, saved);

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1370540&r1=1370539&r2=1370540&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Tue Aug  7 21:30:49 2012
@@ -89,6 +89,12 @@
         <bug>53535</bug>: Reduce memory footprint when performing class scanning
         on Context start. Patch provided by Cedomir Igaly. (markt)
       </fix>
+      <fix>
+        <bug>53584</bug>: Ignore path parameters when comparing URIs for FORM
+        authentication. This prevents users being prompted twice for passwords
+        when logging in when session IDs are being encoded as path parameters.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org