https://issues.apache.org/bugzilla/show_bug.cgi?id=50831
Summary: j_security_check handling doesn't handle original
request anchors
Product: Tomcat 6
Version: 6.0.29
Platform: PC
Status: NEW
Severity: normal
Priority: P2
Component: Servlet & JSP API
AssignedTo: dev@tomcat.apache.org
ReportedBy: mbatche...@pentaho.com
Created an attachment (id=26694)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=26694)
Replacement for jsp/security/protected/index.jsp
When linking to a protected resource with anchor specified in the URL using
Form Authentication, tomcat directs to the login page (correct) and upon
successful authentication, directs to the original request but strips off the
anchor.
Example:
1- Copy altered attached index.jsp into examples/jsp/security/protected
(replace index.jsp).
2- Link to the JSP with an anchor:
http://localhost/examples/jsp/security/protected/index.jsp#sectc
3- Note you will be correctly linked to the login JSP. Authenticate with
both/tomcat.
4- Upon successful authentication, you are directed to the index page, but it
doesn't follow the anchor. Look at the URL in the address bar and you'll see
that the anchor was stripped off by Tomcat.
5- Re-paste the original URL from #2 above, and notice that the anchor is valid
and works.
Tested in Tomcat 5.5.29 and 6.0.29. Tested with Chrome and Firefox.
The attached index.jsp has three different anchor points and long sections of
junk between them so you can easily see when the page retains the anchor and
when it doesn't.
Since Tomcat handles all the j_security_check stuff internally, I can't find a
work-around that will let me get the original requested URL with the anchor.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
