You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/03/12 03:39:06 UTC

DO NOT REPLY [Bug 14616] - Redirects should be issued prior to authentication challenges

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14616>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14616

Redirects should be issued prior to authentication challenges





------- Additional Comments From Keith@Apache.org  2003-03-12 02:39 -------
Proposed patch (against TOMCAT_4_1_18):

Index: 
catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-
4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,
v
retrieving revision 1.35
diff -u -r1.35 AuthenticatorBase.java
--- catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
16 Nov 2002 04:49:22 -0000      1.35
+++ catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
12 Mar 2003 02:34:45 -0000
@@ -443,6 +443,17 @@
         }
         HttpRequest hrequest = (HttpRequest) request;
         HttpResponse hresponse = (HttpResponse) response;
+
+        // Do not authenticate prior to redirects for trailing slashes,
+        // at least for the root of the context
+        String requestURI = hrequest.getDecodedRequestURI();
+        String contextPath = this.context.getPath();
+        if (requestURI.charAt(requestURI.length() - 1) != '/' &&
+            requestURI.equals(contextPath)) {
+            context.invokeNext(request, response);
+            return;
+        }
+
         if (debug >= 1)
             log("Security checking request " +
                 ((HttpServletRequest) request.getRequest()).getMethod() + " " +
@@ -473,8 +484,6 @@
         // Special handling for form-based logins to deal with the case
         // where the login form (and therefore the "j_security_check" URI
         // to which it submits) might be outside the secured area
-        String contextPath = this.context.getPath();
-        String requestURI = hrequest.getDecodedRequestURI();
         if (requestURI.startsWith(contextPath) &&
             requestURI.endsWith(Constants.FORM_ACTION)) {
             if (!authenticate(hrequest, hresponse, config)) {

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org