You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2001/10/23 20:59:40 UTC
DO NOT REPLY [Bug 4374] New: -
bypass of authentication mechanism
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4374>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4374
bypass of authentication mechanism
Summary: bypass of authentication mechanism
Product: Tomcat 4
Version: 4.0.1 Final
Platform: Other
OS/Version: Other
Status: NEW
Severity: Normal
Priority: Other
Component: Unknown
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: mike.adair@ccrs.nrcan.gc.ca
The container based security mechanism in tomcat can be bypassed by accessing
the protected page using <jsp:include/> or <jsp:forward/>. A user can access
the page with a null username, where I think the login form should be displayed.
This is occuring with the MemoryRealm, as well as with my custom JDBC realm
implementation. It also applies to tomcat v3.2.3.
I will add an attachement to this bug report which is a jsp file that can be
used in the webapps/examples/jsp directory to demonstrate the problem.