You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Jonathan Pierce <Jo...@seagram.com> on 2002/02/15 17:21:45 UTC

Updated Fix for AJP13 Connector Authentication Bug !!!

I looked over the patch I supplied yesterday and realized that this original
line (String remoteUser = ajp.remoteUser().toString();) could cause a null
pointer exception if the ajp.remoteUser() returns null. Since the original code
checked for null, it is probably safer to check for null on ajp.remoteUser ()
before calling toString just in case the RemoteUser is supplied as null.

Please replace the patch I supplied yesterday with the following code to support
this possibility. I've tested this updated version and it works as well.

In org.apache.ajp.tomcat4.Ajp13Request.setAjpRequest 
Replace from line 115:

//String remoteUser = ajp.remoteUser().toString();
//if ((remoteUser != null) && (! remoteUser.equals ("")))
//        {
//            setUserPrincipal(new Ajp13Principal(remoteUser));
//        }
 //       else
//        {
//         setUserPrincipal(null);
//    }

    Ajp13Principal theUserPrincipal = null;
    MessageBytes theRemoteUser = ajp.remoteUser ();
    if (theRemoteUser != null)
    {
        String theRemoteUserName = theRemoteUser.toString ();
        if (! theRemoteUserName.equals (""))
        {
            theUserPrincipal = new Ajp13Principal (theRemoteUserName);
        }
    }
    setUserPrincipal(theUserPrincipal);


Here is an explanation of the rational behind the patch:

The request is providing and empty string for the remote user parameter rather
than null. The unpatched code was setting the user principal to a non-null empty
user instead of null. Subsequent code calling getUserPrincipal assumed that a
user had already been authenticated when the non-null getUserPrincipal value was
seen, and denied access to the empty user. The patched code treats a specified
user of "" the same as an unspecified user header of null, and stores the user
principal in the request to null when the supplied userid is empty or null, and
to a valid Ajp13Principal  when the userid is non-null, non-empty.

Jonathan

____________________Reply Separator____________________
Subject:    Fix for AJP13 Connector Authentication Bug !!!
Author: "Tomcat Developers List" <to...@jakarta.apache.org>
Date:       2/14/2002 7:39 PM


I've confirmed the fix for the AJP13 Connector / Authentication problem in
4.0.2.
This solves high priority bugs 5647 and 6219.

Please have one of the committers confirm the fix and check it in to cvs. 

The issue was reported in Bug 6219.

I tested the following modification and it seems to resolve the problem.

The problem is in org.apache.ajp.tomcat4.Ajp13Request.setAjpRequest The fix is
below:
Replace from line 115:

// String remoteUser = ajp.remoteUser().toString();
 // if(remoteUser != null)
 //   setUserPrincipal(new Ajp13Principal(remoteUser));

String remoteUser = ajp.remoteUser().toString();
if ((remoteUser != null) && (! remoteUser.equals ("")))
        {
            setUserPrincipal(new Ajp13Principal(remoteUser));
        }
        else
        {
         setUserPrincipal(null);
    }

After making this modification, I am able to successfully serve the protected
example url through the IIS connector and get properly challenged by the login
screen and am able to login and logout as expected.

http://localhost/examples/jsp/security/protected/index.jsp

-Jonathan

************************************************************************
This email and any files transmitted with it are for the named person's use
only.  It may contain confidential, proprietary or legally privileged
information.  No confidentiality or privilege is waived or lost by any
mistransmission.  If you receive this message in error, please immediately
delete it and all copies of it from your system, destroy any hard copies
of it and notify the sender.  You must not, directly or indirectly, use,
disclose, distribute, print, or copy any part of this message if you
are not the intended recipient.

This email message has been swept by a virus software product for the
presence of computer viruses.
*************************************************************************

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>


************************************************************************
This email and any files transmitted with it are for the named person's use
only.  It may contain confidential, proprietary or legally privileged
information.  No confidentiality or privilege is waived or lost by any
mistransmission.  If you receive this message in error, please immediately
delete it and all copies of it from your system, destroy any hard copies
of it and notify the sender.  You must not, directly or indirectly, use,
disclose, distribute, print, or copy any part of this message if you
are not the intended recipient.

This email message has been swept by a virus software product for the
presence of computer viruses.
*************************************************************************

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>