You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/03/12 03:39:06 UTC
DO NOT REPLY [Bug 14616] -
Redirects should be issued prior to authentication challenges
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14616>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14616
Redirects should be issued prior to authentication challenges
------- Additional Comments From Keith@Apache.org 2003-03-12 02:39 -------
Proposed patch (against TOMCAT_4_1_18):
Index:
catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-
4.0/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java,
v
retrieving revision 1.35
diff -u -r1.35 AuthenticatorBase.java
--- catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
16 Nov 2002 04:49:22 -0000 1.35
+++ catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
12 Mar 2003 02:34:45 -0000
@@ -443,6 +443,17 @@
}
HttpRequest hrequest = (HttpRequest) request;
HttpResponse hresponse = (HttpResponse) response;
+
+ // Do not authenticate prior to redirects for trailing slashes,
+ // at least for the root of the context
+ String requestURI = hrequest.getDecodedRequestURI();
+ String contextPath = this.context.getPath();
+ if (requestURI.charAt(requestURI.length() - 1) != '/' &&
+ requestURI.equals(contextPath)) {
+ context.invokeNext(request, response);
+ return;
+ }
+
if (debug >= 1)
log("Security checking request " +
((HttpServletRequest) request.getRequest()).getMethod() + " " +
@@ -473,8 +484,6 @@
// Special handling for form-based logins to deal with the case
// where the login form (and therefore the "j_security_check" URI
// to which it submits) might be outside the secured area
- String contextPath = this.context.getPath();
- String requestURI = hrequest.getDecodedRequestURI();
if (requestURI.startsWith(contextPath) &&
requestURI.endsWith(Constants.FORM_ACTION)) {
if (!authenticate(hrequest, hresponse, config)) {
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org