You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2007/04/28 18:10:04 UTC
svn commit: r533381 - in /tomcat/container/branches/tc4.1.x:
RELEASE-NOTES-4.1.txt
catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Author: markt
Date: Sat Apr 28 09:10:03 2007
New Revision: 533381
URL: http://svn.apache.org/viewvc?view=rev&rev=533381
Log:
Return a 403 rather than a 500 if a request matches a security constraint that is defined with no roles and no associated login-config is specified.
Modified:
tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt?view=diff&rev=533381&r1=533380&r2=533381
==============================================================================
--- tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt (original)
+++ tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Sat Apr 28 09:10:03 2007
@@ -1668,6 +1668,11 @@
Commons Logging
Return to BeanUtils 1.7.0 since Commons Logging 1.1 resolves the issue
+[4.1.37] Authentication
+ Return a 403 rather than a 500 if a request matches a security
+ constraint that is defined with no roles and no associated
+ login-config is specified.
+
----------------
Coyote Bug Fixes:
Modified: tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java?view=diff&rev=533381&r1=533380&r2=533381
==============================================================================
--- tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java Sat Apr 28 09:10:03 2007
@@ -554,18 +554,6 @@
}
}
- // Which user principal have we already authenticated?
- Principal principal =
- ((HttpServletRequest) request.getRequest()).getUserPrincipal();
- if (principal == null) {
- if (debug >= 2)
- log(" No user authenticated, cannot grant access");
- ((HttpServletResponse) response.getResponse()).sendError
- (HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
- sm.getString("authenticator.notAuthenticated"));
- return (false);
- }
-
// Check each role included in this constraint
String roles[];
if (constraint.getAllRoles()) {
@@ -585,6 +573,18 @@
return (false); // No listed roles means no access at all
}
+ // Which user principal have we already authenticated?
+ Principal principal =
+ ((HttpServletRequest) request.getRequest()).getUserPrincipal();
+ if (principal == null) {
+ if (debug >= 2)
+ log(" No user authenticated, cannot grant access");
+ ((HttpServletResponse) response.getResponse()).sendError
+ (HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
+ sm.getString("authenticator.notAuthenticated"));
+ return (false);
+ }
+
Realm realm = context.getRealm();
for (int i = 0; i < roles.length; i++) {
if (realm.hasRole(principal, roles[i]))
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org