You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2005/04/22 04:08:43 UTC
DO NOT REPLY [Bug 34560] New: -
AuthenticatorBase tests and applies disableProxyCaching even if no auth-constraints
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=34560>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=34560
Summary: AuthenticatorBase tests and applies disableProxyCaching
even if no auth-constraints
Product: Tomcat 5
Version: 5.0.24
Platform: Other
OS/Version: other
Status: NEW
Severity: major
Priority: P2
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: quartz12h@yahoo.com
The web.xml contains
<security-constraint>
<display-name>Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>HTTP Non Protected Area</web-resource-name>
<url-pattern>/favicon.ico</url-pattern>
<url-pattern>*.gif</url-pattern>
<url-pattern>*.js</url-pattern>
<url-pattern>*.html</url-pattern>
<url-pattern>*.css</url-pattern>
<url-pattern>/css/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<url-pattern>/js/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
Although it is https (CONFIDENTIAL), it doesn't have any
<auth-constraint><role-name>...
yet the valve FormAuthenticator (extends AuthenticatorBase, 5.0.24, line 458)
only tests for existence of constraints, not roles:
if ((constraints == null) /* &&
(!Constants.FORM_METHOD.equals(config.getAuthMethod())) */ ) {
if (log.isDebugEnabled())
log.debug(" Not subject to any constraint");
context.invokeNext(request, response);
return;
}
// Make sure that constrained resources are not cached by web proxies
// or browsers as caching can provide a security hole
HttpServletRequest hsrequest = (HttpServletRequest)hrequest.getRequest();
if (disableProxyCaching &&
// FIXME: Disabled for Mozilla FORM support over SSL
// (improper caching issue)
//!hsrequest.isSecure() &&
!"POST".equalsIgnoreCase(hsrequest.getMethod())) {
HttpServletResponse sresponse =
(HttpServletResponse) response.getResponse();
sresponse.setHeader("Pragma", "No-cache");
sresponse.setHeader("Cache-Control", "no-cache");
sresponse.setHeader("Expires", DATE_ONE);
}
As a result, it is not allowing caching of static ressources in the patterns.
(Slow site performance)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org