You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by To...@putnam.com on 2002/08/02 22:06:19 UTC
propsed org.apache.tomcat.modules.aaa.AccessInterceptor fix for security-constraint
Hi,
I found that tomcat-3.3.1 will end up in an endless redirect loop if you
use FORM auth-method in your login-config and happened to place your
form-login-page
in a path that is protected by a web-resource-name in your security
constraint.
based on my assessment, the following patch fixes the bug.
part of the fix below was adapted from tomcat 4.0 sources
comments? opinions?
-Tony Chao
C:\Documents and Settings\hchao\Desktop>diff AccessInterceptor.java
AccessInterc
eptor.java.orig
273,301d272
< // Is this a request for the login page itself? Test here to
avoid
< // displaying it twice (from the user's perspective) -- once
because
< // of the "save and redirect" and once because of the "restore
and
< // redirect" performed below.
< if (reqURI.equals(ctx.getFormLoginPage())) {
< if (debug >= 1)
< log("Requesting login page normally");
< return 0; // Display the login page in the usual manner
< }
<
< // Is this a request for the error page itself? Test here to
avoid
< // an endless loop (back to the login page) if the error page is
< // within the protected area of our security constraint
< if (reqURI.equals(ctx.getFormErrorPage())) {
< if (debug >= 1)
< log("Requesting error page normally");
< return 0; // Display the error page in the usual manner
< }
<
< int lastS=ctx.getFormLoginPage().lastIndexOf( "/" );
< String security_check_url = ctx.getFormLoginPage().substring( 0,
lastS)
< + "/j_security_check";
< if (reqURI.equals(security_check_url)) {
< if (debug >= 1)
< log("Requesting security check page normally");
< return 0; // Display the security check in the usual
manner
< }
<
<
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>