You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Dirk Ooms <di...@gmail.com> on 2018/05/01 13:36:55 UTC
tomcat9 j_security_check request.getRequestURI() incorrect after POST
Hello,
i did an upgrade from tomcat5.5 to tomcat9 and i'm using j_security_check.
in tomcat5.5 when a user was not logged in and he/she requested a url, the
login page was returned and after logging in the user was given the
requested resource. when i requested request.getRequestURI() in my code the
returned uri was correct for both GET and POST.
in tomcat9 this is not the case anymore for POST (for GET still ok). when i
call request.getRequestURI() after the user is logged in, it returns
"chString" in my case, which is a part of the name of the first form field
("searchString") of the original POST.
any idea? am i missing something?
thanks,
dirk
Re: tomcat9 j_security_check request.getRequestURI() incorrect after POST
Posted by Dirk Ooms <di...@gmail.com>.
Thanks for fixing this. Happy to help.
On 3 May 2018 at 21:31, Mark Thomas <ma...@apache.org> wrote:
> On 03/05/18 20:17, Mark Thomas wrote:
> > On 02/05/18 16:08, Dirk Ooms wrote:
> >> Mark,
> >>
> >> you can reproduce it using the FormAuthentication example in the
> >> examples (http://localhost:8080/examples/jsp/security/protected/)
> >>
> >> edit index.jsp
> >> 1. add the line "RequestURI: <%= request.getRequestURI() %><br><br>" in
> >> begin of body
> >> 2. change the method of the form from GET to POST
> >>
> >> scenario:
> >> 1. go to http://localhost:8080/examples/jsp/security/protected/
> >> 2. log in
> >> 3. open second tab/window to same url
> >> 4. log out in second tab/window
> >> 5. go to initial window and submit form
> >> 6. log in again
> >> 7. observe the malformed requestURI
> >
> > Thanks for the reproduction steps. They were a huge help.
> >
> > This was introduced in 8.5.x with some refactoring that reduced copying
> > between I/O buffers during request processing. Essentially, the saved
> > request body was over-writing the cached bytes for the URI.
>
> Correction. It affects 8.0.x and earlier as well.
>
> I'll back port the fix for 8.0.x and 7.0.x.
>
> Mark
>
>
> >
> > I'll be committing a fix shortly which will be available in 9.0.9 and
> > 8.5.32 onwards.
> >
> > Mark
> >
> >
> >>
> >> see also attached screenshots (if they make it to the mailing list).
> >>
> >> dirk
> >>
> >>
> >> On 1 May 2018 at 16:20, Dirk Ooms <dirk42@gmail.com
> >> <ma...@gmail.com>> wrote:
> >>
> >> apologies for the incomplete info. it is tomcat 9.0.6
> >>
> >> i will try to set up a test case and get back to you.
> >>
> >> dirk
> >>
> >>
> >> On 1 May 2018 at 16:07, Mark Thomas <markt@apache.org
> >> <ma...@apache.org>> wrote:
> >>
> >> On 01/05/18 14:36, Dirk Ooms wrote:
> >> > Hello,
> >> >
> >> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using
> j_security_check.
> >> >
> >> > in tomcat5.5 when a user was not logged in and he/she
> requested a url, the
> >> > login page was returned and after logging in the user was
> given the
> >> > requested resource. when i requested request.getRequestURI()
> in my code the
> >> > returned uri was correct for both GET and POST.
> >> >
> >> > in tomcat9 this is not the case anymore for POST (for GET
> still ok). when i
> >> > call request.getRequestURI() after the user is logged in, it
> returns
> >> > "chString" in my case, which is a part of the name of the
> first form field
> >> > ("searchString") of the original POST.
> >> >
> >> > any idea? am i missing something?
> >>
> >> The exact Tomcat 9 version.
> >>
> >> A test case that demonstrates the issue.
> >>
> >> Mark
> >>
> >> ------------------------------------------------------------
> ---------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> <ma...@tomcat.apache.org>
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >> <ma...@tomcat.apache.org>
> >>
> >>
> >>
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: tomcat9 j_security_check request.getRequestURI() incorrect after
POST
Posted by Mark Thomas <ma...@apache.org>.
On 03/05/18 20:17, Mark Thomas wrote:
> On 02/05/18 16:08, Dirk Ooms wrote:
>> Mark,
>>
>> you can reproduce it using the FormAuthentication example in the
>> examples (http://localhost:8080/examples/jsp/security/protected/)
>>
>> edit index.jsp
>> 1. add the line "RequestURI: <%= request.getRequestURI() %><br><br>" in
>> begin of body
>> 2. change the method of the form from GET to POST
>>
>> scenario:
>> 1. go to http://localhost:8080/examples/jsp/security/protected/
>> 2. log in
>> 3. open second tab/window to same url
>> 4. log out in second tab/window
>> 5. go to initial window and submit form
>> 6. log in again
>> 7. observe the malformed requestURI
>
> Thanks for the reproduction steps. They were a huge help.
>
> This was introduced in 8.5.x with some refactoring that reduced copying
> between I/O buffers during request processing. Essentially, the saved
> request body was over-writing the cached bytes for the URI.
Correction. It affects 8.0.x and earlier as well.
I'll back port the fix for 8.0.x and 7.0.x.
Mark
>
> I'll be committing a fix shortly which will be available in 9.0.9 and
> 8.5.32 onwards.
>
> Mark
>
>
>>
>> see also attached screenshots (if they make it to the mailing list).
>>
>> dirk
>>
>>
>> On 1 May 2018 at 16:20, Dirk Ooms <dirk42@gmail.com
>> <ma...@gmail.com>> wrote:
>>
>> apologies for the incomplete info. it is tomcat 9.0.6
>>
>> i will try to set up a test case and get back to you.
>>
>> dirk
>>
>>
>> On 1 May 2018 at 16:07, Mark Thomas <markt@apache.org
>> <ma...@apache.org>> wrote:
>>
>> On 01/05/18 14:36, Dirk Ooms wrote:
>> > Hello,
>> >
>> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using j_security_check.
>> >
>> > in tomcat5.5 when a user was not logged in and he/she requested a url, the
>> > login page was returned and after logging in the user was given the
>> > requested resource. when i requested request.getRequestURI() in my code the
>> > returned uri was correct for both GET and POST.
>> >
>> > in tomcat9 this is not the case anymore for POST (for GET still ok). when i
>> > call request.getRequestURI() after the user is logged in, it returns
>> > "chString" in my case, which is a part of the name of the first form field
>> > ("searchString") of the original POST.
>> >
>> > any idea? am i missing something?
>>
>> The exact Tomcat 9 version.
>>
>> A test case that demonstrates the issue.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> <ma...@tomcat.apache.org>
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> <ma...@tomcat.apache.org>
>>
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat9 j_security_check request.getRequestURI() incorrect after
POST
Posted by Mark Thomas <ma...@apache.org>.
On 02/05/18 16:08, Dirk Ooms wrote:
> Mark,
>
> you can reproduce it using the FormAuthentication example in the
> examples (http://localhost:8080/examples/jsp/security/protected/)
>
> edit index.jsp
> 1. add the line "RequestURI: <%= request.getRequestURI() %><br><br>" in
> begin of body
> 2. change the method of the form from GET to POST
>
> scenario:
> 1. go to http://localhost:8080/examples/jsp/security/protected/
> 2. log in
> 3. open second tab/window to same url
> 4. log out in second tab/window
> 5. go to initial window and submit form
> 6. log in again
> 7. observe the malformed requestURI
Thanks for the reproduction steps. They were a huge help.
This was introduced in 8.5.x with some refactoring that reduced copying
between I/O buffers during request processing. Essentially, the saved
request body was over-writing the cached bytes for the URI.
I'll be committing a fix shortly which will be available in 9.0.9 and
8.5.32 onwards.
Mark
>
> see also attached screenshots (if they make it to the mailing list).
>
> dirk
>
>
> On 1 May 2018 at 16:20, Dirk Ooms <dirk42@gmail.com
> <ma...@gmail.com>> wrote:
>
> apologies for the incomplete info. it is tomcat 9.0.6
>
> i will try to set up a test case and get back to you.
>
> dirk
>
>
> On 1 May 2018 at 16:07, Mark Thomas <markt@apache.org
> <ma...@apache.org>> wrote:
>
> On 01/05/18 14:36, Dirk Ooms wrote:
> > Hello,
> >
> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using j_security_check.
> >
> > in tomcat5.5 when a user was not logged in and he/she requested a url, the
> > login page was returned and after logging in the user was given the
> > requested resource. when i requested request.getRequestURI() in my code the
> > returned uri was correct for both GET and POST.
> >
> > in tomcat9 this is not the case anymore for POST (for GET still ok). when i
> > call request.getRequestURI() after the user is logged in, it returns
> > "chString" in my case, which is a part of the name of the first form field
> > ("searchString") of the original POST.
> >
> > any idea? am i missing something?
>
> The exact Tomcat 9 version.
>
> A test case that demonstrates the issue.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> <ma...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
> <ma...@tomcat.apache.org>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat9 j_security_check request.getRequestURI() incorrect after POST
Posted by Dirk Ooms <di...@gmail.com>.
Mark,
you can reproduce it using the FormAuthentication example in the examples (
http://localhost:8080/examples/jsp/security/protected/)
edit index.jsp
1. add the line "RequestURI: <%= request.getRequestURI() %><br><br>" in
begin of body
2. change the method of the form from GET to POST
scenario:
1. go to http://localhost:8080/examples/jsp/security/protected/
2. log in
3. open second tab/window to same url
4. log out in second tab/window
5. go to initial window and submit form
6. log in again
7. observe the malformed requestURI
see also attached screenshots (if they make it to the mailing list).
dirk
On 1 May 2018 at 16:20, Dirk Ooms <di...@gmail.com> wrote:
> apologies for the incomplete info. it is tomcat 9.0.6
>
> i will try to set up a test case and get back to you.
>
> dirk
>
>
> On 1 May 2018 at 16:07, Mark Thomas <ma...@apache.org> wrote:
>
>> On 01/05/18 14:36, Dirk Ooms wrote:
>> > Hello,
>> >
>> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using
>> j_security_check.
>> >
>> > in tomcat5.5 when a user was not logged in and he/she requested a url,
>> the
>> > login page was returned and after logging in the user was given the
>> > requested resource. when i requested request.getRequestURI() in my code
>> the
>> > returned uri was correct for both GET and POST.
>> >
>> > in tomcat9 this is not the case anymore for POST (for GET still ok).
>> when i
>> > call request.getRequestURI() after the user is logged in, it returns
>> > "chString" in my case, which is a part of the name of the first form
>> field
>> > ("searchString") of the original POST.
>> >
>> > any idea? am i missing something?
>>
>> The exact Tomcat 9 version.
>>
>> A test case that demonstrates the issue.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: tomcat9 j_security_check request.getRequestURI() incorrect after POST
Posted by Dirk Ooms <di...@gmail.com>.
apologies for the incomplete info. it is tomcat 9.0.6
i will try to set up a test case and get back to you.
dirk
On 1 May 2018 at 16:07, Mark Thomas <ma...@apache.org> wrote:
> On 01/05/18 14:36, Dirk Ooms wrote:
> > Hello,
> >
> > i did an upgrade from tomcat5.5 to tomcat9 and i'm using
> j_security_check.
> >
> > in tomcat5.5 when a user was not logged in and he/she requested a url,
> the
> > login page was returned and after logging in the user was given the
> > requested resource. when i requested request.getRequestURI() in my code
> the
> > returned uri was correct for both GET and POST.
> >
> > in tomcat9 this is not the case anymore for POST (for GET still ok).
> when i
> > call request.getRequestURI() after the user is logged in, it returns
> > "chString" in my case, which is a part of the name of the first form
> field
> > ("searchString") of the original POST.
> >
> > any idea? am i missing something?
>
> The exact Tomcat 9 version.
>
> A test case that demonstrates the issue.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: tomcat9 j_security_check request.getRequestURI() incorrect after
POST
Posted by Mark Thomas <ma...@apache.org>.
On 01/05/18 14:36, Dirk Ooms wrote:
> Hello,
>
> i did an upgrade from tomcat5.5 to tomcat9 and i'm using j_security_check.
>
> in tomcat5.5 when a user was not logged in and he/she requested a url, the
> login page was returned and after logging in the user was given the
> requested resource. when i requested request.getRequestURI() in my code the
> returned uri was correct for both GET and POST.
>
> in tomcat9 this is not the case anymore for POST (for GET still ok). when i
> call request.getRequestURI() after the user is logged in, it returns
> "chString" in my case, which is a part of the name of the first form field
> ("searchString") of the original POST.
>
> any idea? am i missing something?
The exact Tomcat 9 version.
A test case that demonstrates the issue.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org