You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2012/07/23 01:28:24 UTC
[Bug 53584] New: Forms authentication without cookies requires
double submission in 6.0.33
https://issues.apache.org/bugzilla/show_bug.cgi?id=53584
Priority: P2
Bug ID: 53584
Assignee: dev@tomcat.apache.org
Summary: Forms authentication without cookies requires double
submission in 6.0.33
Severity: normal
Classification: Unclassified
Reporter: b.mason@adinstruments.com
Hardware: PC
Status: NEW
Version: 6.0.35
Component: Catalina
Product: Tomcat 6
Created attachment 29093
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29093&action=edit
Standalone test app which reproduces the issue
We have an application which uses the forms authentication provided by Servlet
specification and is configured store session IDs in the URL rather than using
cookies. This configuration has been working as expected under Tomcat 6.0.32
and earlier.
On upgrading to Tomcat 6.0.33 or 6.0.35 this combination no longer works as
expected. Specifically, when a user initially submits the login form they are
immediately returned back to the form-login-page. Submitting the login form a
second time allows them to log in. The only difference I have been able to spot
between the first and second form submission is for the second submission the
request attribute "javax.servlet.forward.request_uri" now has the jsessionid
appended to the URL.
Attached is a standalone WAR which reliably reproduces the problem with 6.0.33
and 6.0.35. Steps to reproduce:
1) Unpack tomcat 6.0.33. I used windows version
"apache-tomcat-6.0.33-windows-x86.zip".
2) Drop forms-auth-test.war into the webapps directory.
3) Disable cookies by editing conf/context.xml:
<Context cookies="false">
....
</Context>
4) Add a user to authenticated with to conf/tomcat-users.xml:
<tomcat-users>
<role rolename="tomcat"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
</tomcat-users>
5) Launch tomcat, I used "bin/catalina.bat start".
6) Navigate to http://localhost:8080/forms-auth-test/index.jsp
7) Enter user:tomcat pass:tomcat (should be prefilled). Click login.
8) Observe that you are returned to the login page (with a session ID in the
URL this time).
9) Enter the username and password again and click login.
10) Login should succeed this time.
Environment details:
- Windows 7 64-bit, Oracle JVM 1.6.0u32 & 1.7.0u4.
- Debian 5 32-bit, Oracle JVM 1.6.0u32.
Relevant tomcat-user mailing list thread:
http://tomcat.markmail.org/thread/kywykrrjvwuavndp
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 53584] Forms authentication without cookies requires double
submission in 6.0.33
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53584
--- Comment #2 from b.mason@adinstruments.com <b....@adinstruments.com> ---
(In reply to comment #1)
Thanks Mark. Glad my steps made the bug easy to reproduce. I'm a software
developer myself so tried to add everything I would want in a bug report.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 53584] Forms authentication without cookies requires double
submission in 6.0.33
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53584
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |koen@emweb.be
--- Comment #4 from Mark Thomas <ma...@apache.org> ---
*** Bug 54340 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 53584] Forms authentication without cookies requires double
submission in 6.0.33
Posted by Brian Burch <br...@pingtoo.com>.
On 14/08/12 16:58, Mark Thomas wrote:
> Brian Burch <br...@pingtoo.com> wrote:
>
>> On 07/08/12 22:33, bugzilla@apache.org wrote:
>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=53584
>>>
>>> Mark Thomas <ma...@apache.org> changed:
>>>
>>> What |Removed |Added
>>>
>> ----------------------------------------------------------------------------
>>> OS| |All
>>>
>>> --- Comment #1 from Mark Thomas <ma...@apache.org> ---
>>> Thanks for an excellent bug report. The issue was a real pleasure to
>>> investigate - not just because the root cause was interesting but
>> because I
>>> could focus on the interesting bits rather than having to waste time
>> trying to
>>> build the test WAR using the current flavour of the month for scm
>> and/or build
>>> tool and/or source layout. Simple WARs are *SO* much easier to work
>> with.
>>>
>>> The clear steps to re-create the issue were also extremely helpful.
>> So again,
>>> thank-you.
>>>
>>> The root cause is that as of 6.0.33 path parameters are included the
>> value
>>> returned from HttpServletRequest.getRequestURI(). During the FORM
>> auth, one of
>>> the checks post authentication is "Does the current URI equal the
>> original
>>> URI?" The problem is that the current URI always contains the session
>> ID as a
>>> path parameter whereas the first time through the authentication the
>> original
>>> URI does not.
>>>
>>> This issue also affects trunk and 7.0.x.
>>>
>>> I have fixed this issue in trunk and 7.0.x for 7.0.30 onwards and
>> proposed the
>>> fix for 6.0.x.
>>
>> Mark,
>>
>> I have intermittently observed a similar problem with tc6 and tc7 over
>> the last couple of years. It has been on my own list of things to
>> investigate, but so far my various efforts haven't allowed me to
>> reproduce it on demand and analyse it fully.
>>
>> Bug 53584 deals with the case where the session id is not transmitted
>> in
>> a cookie, but my situation does use cookies. Reading about your
>> investigation and solution suggests to me that the underlying problem
>> is
>> not directly related to the "no cookie" case, but you mention a
>> mismatch
>> in the uri as the underlying cause. I feel it is possible that my own
>> case also involves a uri mismatch, but I need to understand this
>> particular bug and its fix before I can decide.
>>
>> Even though it is fixed, I would like to write a unit test case for
>> this
>> particular bug. Once done, I can use it as a template to simulate my
>> own
>> situation and see whether that has been fixed too.
>>
>> I would like to start developing the first test soon, but you could
>> save
>> me some time. Based on your current understanding, would you mind
>> outlining the minimal conditions needed to trigger this particular
>> failure case?
>>
>> Thanks,
>>
>> Brian
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>
> Steps to reproduce are provided in the bug report. The root cause was that the redirect after authentication contained a path parameter (the session id) which was not present in the saved request hence the URIs did not match.
>
> I don't see any way this could occur when cookies are used unless something in the request path is injecting path parameters into the URI.
Thanks for your opinions. I'll get on with the new test - it will be
useful to avoid regression. (I extrapolate from your comment that my own
problem might turn out to be an error in the configuration or user code).
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 53584] Forms authentication without cookies requires double submission in 6.0.33
Posted by Mark Thomas <ma...@apache.org>.
Brian Burch <br...@pingtoo.com> wrote:
>On 07/08/12 22:33, bugzilla@apache.org wrote:
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=53584
>>
>> Mark Thomas <ma...@apache.org> changed:
>>
>> What |Removed |Added
>>
>----------------------------------------------------------------------------
>> OS| |All
>>
>> --- Comment #1 from Mark Thomas <ma...@apache.org> ---
>> Thanks for an excellent bug report. The issue was a real pleasure to
>> investigate - not just because the root cause was interesting but
>because I
>> could focus on the interesting bits rather than having to waste time
>trying to
>> build the test WAR using the current flavour of the month for scm
>and/or build
>> tool and/or source layout. Simple WARs are *SO* much easier to work
>with.
>>
>> The clear steps to re-create the issue were also extremely helpful.
>So again,
>> thank-you.
>>
>> The root cause is that as of 6.0.33 path parameters are included the
>value
>> returned from HttpServletRequest.getRequestURI(). During the FORM
>auth, one of
>> the checks post authentication is "Does the current URI equal the
>original
>> URI?" The problem is that the current URI always contains the session
>ID as a
>> path parameter whereas the first time through the authentication the
>original
>> URI does not.
>>
>> This issue also affects trunk and 7.0.x.
>>
>> I have fixed this issue in trunk and 7.0.x for 7.0.30 onwards and
>proposed the
>> fix for 6.0.x.
>
>Mark,
>
>I have intermittently observed a similar problem with tc6 and tc7 over
>the last couple of years. It has been on my own list of things to
>investigate, but so far my various efforts haven't allowed me to
>reproduce it on demand and analyse it fully.
>
>Bug 53584 deals with the case where the session id is not transmitted
>in
>a cookie, but my situation does use cookies. Reading about your
>investigation and solution suggests to me that the underlying problem
>is
>not directly related to the "no cookie" case, but you mention a
>mismatch
>in the uri as the underlying cause. I feel it is possible that my own
>case also involves a uri mismatch, but I need to understand this
>particular bug and its fix before I can decide.
>
>Even though it is fixed, I would like to write a unit test case for
>this
>particular bug. Once done, I can use it as a template to simulate my
>own
>situation and see whether that has been fixed too.
>
>I would like to start developing the first test soon, but you could
>save
>me some time. Based on your current understanding, would you mind
>outlining the minimal conditions needed to trigger this particular
>failure case?
>
>Thanks,
>
>Brian
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: dev-help@tomcat.apache.org
Steps to reproduce are provided in the bug report. The root cause was that the redirect after authentication contained a path parameter (the session id) which was not present in the saved request hence the URIs did not match.
I don't see any way this could occur when cookies are used unless something in the request path is injecting path parameters into the URI.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 53584] Forms authentication without cookies requires double
submission in 6.0.33
Posted by Brian Burch <br...@pingtoo.com>.
On 07/08/12 22:33, bugzilla@apache.org wrote:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=53584
>
> Mark Thomas <ma...@apache.org> changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> OS| |All
>
> --- Comment #1 from Mark Thomas <ma...@apache.org> ---
> Thanks for an excellent bug report. The issue was a real pleasure to
> investigate - not just because the root cause was interesting but because I
> could focus on the interesting bits rather than having to waste time trying to
> build the test WAR using the current flavour of the month for scm and/or build
> tool and/or source layout. Simple WARs are *SO* much easier to work with.
>
> The clear steps to re-create the issue were also extremely helpful. So again,
> thank-you.
>
> The root cause is that as of 6.0.33 path parameters are included the value
> returned from HttpServletRequest.getRequestURI(). During the FORM auth, one of
> the checks post authentication is "Does the current URI equal the original
> URI?" The problem is that the current URI always contains the session ID as a
> path parameter whereas the first time through the authentication the original
> URI does not.
>
> This issue also affects trunk and 7.0.x.
>
> I have fixed this issue in trunk and 7.0.x for 7.0.30 onwards and proposed the
> fix for 6.0.x.
Mark,
I have intermittently observed a similar problem with tc6 and tc7 over
the last couple of years. It has been on my own list of things to
investigate, but so far my various efforts haven't allowed me to
reproduce it on demand and analyse it fully.
Bug 53584 deals with the case where the session id is not transmitted in
a cookie, but my situation does use cookies. Reading about your
investigation and solution suggests to me that the underlying problem is
not directly related to the "no cookie" case, but you mention a mismatch
in the uri as the underlying cause. I feel it is possible that my own
case also involves a uri mismatch, but I need to understand this
particular bug and its fix before I can decide.
Even though it is fixed, I would like to write a unit test case for this
particular bug. Once done, I can use it as a template to simulate my own
situation and see whether that has been fixed too.
I would like to start developing the first test soon, but you could save
me some time. Based on your current understanding, would you mind
outlining the minimal conditions needed to trigger this particular
failure case?
Thanks,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 53584] Forms authentication without cookies requires double
submission in 6.0.33
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53584
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Thanks for an excellent bug report. The issue was a real pleasure to
investigate - not just because the root cause was interesting but because I
could focus on the interesting bits rather than having to waste time trying to
build the test WAR using the current flavour of the month for scm and/or build
tool and/or source layout. Simple WARs are *SO* much easier to work with.
The clear steps to re-create the issue were also extremely helpful. So again,
thank-you.
The root cause is that as of 6.0.33 path parameters are included the value
returned from HttpServletRequest.getRequestURI(). During the FORM auth, one of
the checks post authentication is "Does the current URI equal the original
URI?" The problem is that the current URI always contains the session ID as a
path parameter whereas the first time through the authentication the original
URI does not.
This issue also affects trunk and 7.0.x.
I have fixed this issue in trunk and 7.0.x for 7.0.30 onwards and proposed the
fix for 6.0.x.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 53584] Forms authentication without cookies requires double
submission in 6.0.33
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53584
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Fixed in 6.0.x and will be included in 6.0.36 onwards.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org