You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Jeff Tulley <JT...@novell.com> on 2003/03/27 23:30:40 UTC

Tomcat security handling spec non-compliance

I think I've found a fairly important place where Tomcat is not spec
compliant. I think there is code in there to make this work, but the
code must have a bug.
The spec part is: SRV 12.5.3, actually in J2EE.12.5.3.1 Login Form
Notes:
...
If the form based login is invoked because of an HTTP request, the
original
request parameters must be preserved by the container for use if, on
successful
authentication, it redirects the call to the requested resource.
...

I have shown that this is not working using the following process:
Create a simple jsp, "formHandler.jsp", put it in a protected app (I
used Tomcat's admin):
<html>
<body>
<% 
String color = request.getParameter("Color");
%>
Your color is: <%=color%>
</body>
</html>

Create a simple form somewhere outside of there:
<html>
<body>
<form action="/admin/formHandler.jsp" method="post">
<input type="text" name="Color" value="red">
<input type="submit" name="Submit">
</form>
</body>
</html>

If you submit the form while there is a current valid login to the
admin application, your formHandler jsp outputs the correct parameter
information.
If you submit the form while not authenticated to the application, you
are redirected to the login page. After you enter valid credentials, you
are redirected to the formHandler.jsp, which outputs "Your color is:
null" It has lost the original request parameters even though it appears
that org.apache.catalina.authenticator.FormAuthenticator, restoreRequest
tries to restore these.

Can somebody else verify that they see this, and should I submit a bug?
 It seems that this is very important and needs to be fixed.

This is on Tomcat 4.1.18, and I just verified it is still there on
Tomcat 4.1.24

Jeff Tulley  (jtulley@novell.com)
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org