https://bz.apache.org/bugzilla/show_bug.cgi?id=58660
--- Comment #8 from Konstantin Kolinko <knst.koli...@gmail.com> ---
One more place that fails - a FormAuthenticator if it is configured to a web
application as a whole and if its authentication form uses a relative URL to
j_security_check, like the examples app does.
8.0.29
1. In webapps/examples/WEB-INF/web.xml
In <security-constraint> elements (there are 2 of them) replace
<url-pattern>/jsp/security/protected/*</url-pattern>
with
<url-pattern>/*</url-pattern>
2. In conf/tomcat-users.xml uncomment test users.
3. Start Tomcat
4. Go to http://localhost:8080/examples
A login form is displayed.
5. Type in user name and password (as configured in conf/tomcat-users.xml)
6. The login form sends POST request to
http://localhost:8080/j_security_check;jsessionid=<...>
This fails with 404, because request goes to a wrong web application (ROOT, not
examples).
One more area of concern: anything that sets a cookie before a redirect
happens. See "sessionCookiePathUsesTrailingSlash" option on Context.
(FormAuthenticator is an example here as well, but as I wrote above there is a
more serious issue with it.)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
