You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/10/29 00:22:09 UTC
DO NOT REPLY [Bug 24197] New: -
adding an extra slash in a mod_jk url circumvents tomcat (form) login authentication
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24197>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24197
adding an extra slash in a mod_jk url circumvents tomcat (form) login authentication
Summary: adding an extra slash in a mod_jk url circumvents tomcat
(form) login authentication
Product: Tomcat 4
Version: 4.1.27
Platform: All
URL: http://(on request)
OS/Version: All
Status: NEW
Severity: Major
Priority: Other
Component: Connector:JK/AJP (deprecated)
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: thundur@mayaxatl.org
Assume some.host:8009 with webapp 'webapp' is JkMounted on
http://some.host/webapp/*. If you request a file (e.g.
http://some.host/webapp/private.jsp) protected by a security-constraint in the
web.xml file, normally a password prompt would appear. However, if you type
http://some.host/webapp//private.jsp in your browser's address bar, you can view
the page, but as a user with no role.
This problem doesn't occur if you try tomcat's http/1.1 connector with an extra
slash.
Tested with FreeBSD 4.8, RedHat 8, mod_jk 1.1.0, mod_jk 1.2.4, mod_jk 1.2.5,
tomcat 4.1.12, tomcat 4.1.27, apache 1.3.28.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org