You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cr...@locus.apache.org on 2000/07/11 01:54:16 UTC
cvs commit: jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security package.html HttpSecurityBase.java
craigmcc 00/07/10 16:54:15
Modified: proposals/catalina/src/share/org/apache/tomcat/security
HttpSecurityBase.java
Added: proposals/catalina/src/share/org/apache/tomcat/security
package.html
Log:
Correct a bug in the implementation of form-based security that
incorrectly applied security constraints when the login page (and
therefore the "j_security_check" URI to which it submits) is outside the
protected area for any constraint.
Add a Javadoc package description of the contents of this package.
Revision Changes Path
1.4 +38 -9 jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/HttpSecurityBase.java
Index: HttpSecurityBase.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/HttpSecurityBase.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- HttpSecurityBase.java 2000/07/08 02:53:33 1.3
+++ HttpSecurityBase.java 2000/07/10 23:54:14 1.4
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/HttpSecurityBase.java,v 1.3 2000/07/08 02:53:33 craigmcc Exp $
- * $Revision: 1.3 $
- * $Date: 2000/07/08 02:53:33 $
+ * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/HttpSecurityBase.java,v 1.4 2000/07/10 23:54:14 craigmcc Exp $
+ * $Revision: 1.4 $
+ * $Date: 2000/07/10 23:54:14 $
*
* ====================================================================
*
@@ -113,7 +113,7 @@
* requests. Requests of any other type will simply be passed through.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.3 $ $Date: 2000/07/08 02:53:33 $
+ * @version $Revision: 1.4 $ $Date: 2000/07/10 23:54:14 $
*/
@@ -289,12 +289,27 @@
((HttpServletRequest) request.getRequest()).getRequestURI());
LoginConfig config = context.getLoginConfig();
+ // Special handling for form-based logins to deal with the case
+ // where the login form (and therefore the "j_security_check" URI
+ // to which it submits) might be outside the secured area
+ String contextPath = context.getPath();
+ String requestURI =
+ ((HttpServletRequest) request.getRequest()).getRequestURI();
+ if (requestURI.startsWith(contextPath) &&
+ requestURI.endsWith(Constants.FORM_ACTION)) {
+ if (!authenticate(hrequest, hresponse, config)) {
+ if (debug >= 1)
+ log(" Failed authenticate() test");
+ return;
+ }
+ }
+
// Is this request URI subject to a security constraint?
SecurityConstraint constraint = findConstraint(hrequest);
- if ((constraint == null) &&
- (!Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
+ if ((constraint == null) /* &&
+ (!Constants.FORM_METHOD.equals(config.getAuthMethod())) */ ) {
if (debug >= 1)
- log(" Not subject to any constraint");
+ log(" Not subject to any constraint");
invokeNext(request, response);
return;
}
@@ -309,7 +324,7 @@
}
// Authenticate based upon the specified login configuration
- if (!authenticate(hrequest, hresponse, context.getLoginConfig())) {
+ if (!authenticate(hrequest, hresponse, config)) {
if (debug >= 1)
log(" Failed authenticate() test");
return;
@@ -370,6 +385,11 @@
log(" Allow access to error page " + errorPage);
return (true);
}
+ if (requestURI.endsWith(Constants.FORM_ACTION)) {
+ if (debug >= 1)
+ log(" Allow access to username/password submission");
+ return (true);
+ }
}
// Which user principal have we already authenticated?
@@ -471,8 +491,11 @@
// Are there any defined security constraints?
SecurityConstraint constraints[] = context.findConstraints();
- if ((constraints == null) || (constraints.length == 0))
+ if ((constraints == null) || (constraints.length == 0)) {
+ if (debug >= 2)
+ log(" No applicable constraints defined");
return (null);
+ }
// Check each defined security constraint
HttpServletRequest hreq = (HttpServletRequest) request.getRequest();
@@ -482,11 +505,17 @@
uri = uri.substring(contextPath.length());
String method = hreq.getMethod();
for (int i = 0; i < constraints.length; i++) {
+ if (debug >= 2)
+ log(" Checking constraint '" + constraints[i] +
+ "' against " + method + " " + uri + " --> " +
+ constraints[i].included(uri, method));
if (constraints[i].included(uri, method))
return (constraints[i]);
}
// No applicable security constraint was found
+ if (debug >= 2)
+ log(" No applicable constraint located");
return (null);
}
1.1 jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/security/package.html
Index: package.html
===================================================================
<p>This package contains <code>Authenticator</code> implementations for the
various supported authentication methods (BASIC, DIGEST, and FORM). In
addition, there is a convenience base class,
<code>HttpSecurityBase</code>, for customized <code>Authenticator</code>
implementations.</p>
<p>If you are using the standard context configuration class
(<code>org.apache.tomcat.startup.ContextConfig</code>) to configure the
Authenticator associated with a particular context, you can register the Java
class to be used for each possible authentication method by modifying the
following Properties file:</p>
<pre>
src/share/org/apache/tomcat/startup/Authenticators.properties
</pre>