You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/03/28 18:15:39 UTC
DO NOT REPLY [Bug 18475] New: -
Invalid handling of "auth" type in WarpRequestHandler.java
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18475>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18475
Invalid handling of "auth" type in WarpRequestHandler.java
Summary: Invalid handling of "auth" type in
WarpRequestHandler.java
Product: Tomcat 5
Version: 5.0.0
Platform: All
OS/Version: All
Status: NEW
Severity: Major
Priority: Other
Component: Connector:Webapp
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: smb1@cornell.edu
CC: smb1@cornell.edu
WarpRequestHandler.handle(WarpConnection connection, WarpPacket packet)::
case Constants.TYPE_REQ_AUTH: {
String user=packet.readString();
String auth=packet.readString();
if (Constants.DEBUG)
logger.debug("Request user="+user+" auth="+auth);
request.setAuthType(auth);
// What to do for user name?
if(user != null && auth != null && auth.equals("Basic")) {
Principal prin = new BasicPrincipal(user);
request.setUserPrincipal(prin);
}
break;
}
The section of code above does not appropriately handle authenticated usernames
from the host web server. It also misleads users by reporting in the log that
the username is actually being passed to tomcat. The problem is that the
setting of the username is conditional on the authType String matching exactly
the word "Basic". The default "Authorization" HTTP request header is of
type "Basic" but the RPC allows for any "Authroization" "type"; it even
mentions an example of type "Kerberos".
Many schools have implemented custom HTTP Authroization "type"s and the warp
connector will not appropriately deal with them. I have modified this class so
that our authentication mechanisms will work with warp and that code segment is
below:
WarpRequestHandler.handle(WarpConnection connection, WarpPacket packet)::
case Constants.TYPE_REQ_AUTH: {
String user=packet.readString();
String auth=packet.readString();
if (Constants.DEBUG)
logger.debug("Request user="+user+" auth="+auth);
request.setAuthType(auth);
// What to do for user name?
// Steve Barrett, smb1@cornell.edu - 2003.03.28, will report in bugzilla
// if(user != null && auth != null && auth.equals("Basic")) {
if(user != null ) { //&& auth != null && auth.equals
("Basic")) {
Principal prin = new BasicPrincipal(user);
request.setUserPrincipal(prin);
}
break;
}
This, however, is also not an appropriate solution because it allows ANY
request that appears to have properly authenticated a user to pass a username
to tomcat. It would be more appropriate if the ability to accept usernames
from front ends were a switch (like 'tomcatAuthentication="false"' in ajp13)
and even better if there were an attribute which allowed the HTTP Authorization
request headers to be specified so that sites could define which "type" of
authtype they would be willing to accept.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org