You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2012/08/31 00:59:07 UTC

svn commit: r1379208 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/realm/RealmBase.java webapps/docs/changelog.xml

Author: markt
Date: Thu Aug 30 22:59:07 2012
New Revision: 1379208

URL: http://svn.apache.org/viewvc?rev=1379208&view=rev
Log:
Overlapping URL patterns were sometimes merged incorrectly in security constraints leading to incorrect 401 responses. Note: it was possible for access to be denied when it should have been granted but it was not possible for access to be granted when it should have been denied.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1379206

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1379208&r1=1379207&r2=1379208&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java Thu Aug 30 22:59:07 2012
@@ -659,14 +659,15 @@ public abstract class RealmBase extends 
                     }
                 }
                 if(matched) {
-                    found = true;
                     if(length > longest) {
+                        found = false;
                         if(results != null) {
                             results.clear();
                         }
                         longest = length;
                     }
                     if(collection[j].findMethod(method)) {
+                        found = true;
                         if(results == null) {
                             results = new ArrayList<SecurityConstraint>();
                         }
@@ -790,7 +791,7 @@ public abstract class RealmBase extends 
      */
     private SecurityConstraint [] resultsToArray(
             ArrayList<SecurityConstraint> results) {
-        if(results == null) {
+        if(results == null || results.size() == 0) {
             return null;
         }
         SecurityConstraint [] array = new SecurityConstraint[results.size()];

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1379208&r1=1379207&r2=1379208&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Aug 30 22:59:07 2012
@@ -190,6 +190,13 @@
         correct paths for subdirectories. Patch provided by Kevin Wooten.
         (kkolinko)
       </fix>
+      <fix>
+        <bug>53801</bug>: Overlapping URL patterns were sometimes merged
+        incorrectly in security constraints leading to incorrect 401 responses.
+        Note: it was possible for access to be denied when it should have been
+        granted but it was not possible for access to be granted when it should
+        have been denied. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org