You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/10/29 00:22:09 UTC

DO NOT REPLY [Bug 24197] New: - adding an extra slash in a mod_jk url circumvents tomcat (form) login authentication

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24197>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24197

adding an extra slash in a mod_jk url circumvents tomcat (form) login authentication

           Summary: adding an extra slash in a mod_jk url circumvents tomcat
                    (form) login authentication
           Product: Tomcat 4
           Version: 4.1.27
          Platform: All
               URL: http://(on request)
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Connector:JK/AJP (deprecated)
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: thundur@mayaxatl.org


Assume some.host:8009 with webapp 'webapp' is JkMounted on
http://some.host/webapp/*. If you request a file (e.g.
http://some.host/webapp/private.jsp) protected by a security-constraint in the
web.xml file, normally a password prompt would appear. However, if you type
http://some.host/webapp//private.jsp in your browser's address bar, you can view
the page, but as a user with no role.

This problem doesn't occur if you try tomcat's http/1.1 connector with an extra
slash.

Tested with FreeBSD 4.8, RedHat 8, mod_jk 1.1.0, mod_jk 1.2.4, mod_jk 1.2.5,
tomcat 4.1.12, tomcat 4.1.27, apache 1.3.28.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org