Author: markt
Date: Mon Oct 10 15:44:14 2011
New Revision: 1181028
URL: http://svn.apache.org/viewvc?rev=1181028&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51940
Don't limit saving of request bodies during FORM authentication to POST
requests since any HTTP method may include a body.
Based on a patch by Nicholas Sushkin
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1181028&r1=1181027&r2=1181028&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
Mon Oct 10 15:44:14 2011
@@ -368,6 +368,16 @@ public class FormAuthenticator
HttpServletResponse response, LoginConfig config)
throws IOException {
+ if (log.isDebugEnabled()) {
+ log.debug(sm.getString("formAuthenticator.forwardLogin",
+ request.getRequestURI(), request.getMethod(),
+ config.getLoginPage(),
+ context.getServletContext().getContextPath()));
+ }
+
+ // Always use GET for the login page, regardless of the method used
+ request.getCoyoteRequest().method().setString("GET");
+
String loginPage = config.getLoginPage();
if (loginPage == null || loginPage.length() == 0) {
String msg = sm.getString("formAuthenticator.noLoginPage",
@@ -535,27 +545,27 @@ public class FormAuthenticator
// Ignore request body
}
- if ("POST".equalsIgnoreCase(saved.getMethod())) {
- ByteChunk body = saved.getBody();
-
- if (body != null) {
- request.getCoyoteRequest().action
- (ActionCode.REQ_SET_BODY_REPLAY, body);
-
- // Set content type
- MessageBytes contentType = MessageBytes.newInstance();
-
- //If no content type specified, use default for POST
- String savedContentType = saved.getContentType();
- if (savedContentType == null) {
- savedContentType = "application/x-www-form-urlencoded";
- }
+ ByteChunk body = saved.getBody();
+ String method = saved.getMethod();
+
+ if (body != null) {
+ request.getCoyoteRequest().action
+ (ActionCode.REQ_SET_BODY_REPLAY, body);
- contentType.setString(savedContentType);
- request.getCoyoteRequest().setContentType(contentType);
+ // Set content type
+ MessageBytes contentType = MessageBytes.newInstance();
+
+ // If no content type specified, use default for POST
+ String savedContentType = saved.getContentType();
+ if (savedContentType == null && "POST".equalsIgnoreCase(method)) {
+ savedContentType = "application/x-www-form-urlencoded";
}
+
+ contentType.setString(savedContentType);
+ request.getCoyoteRequest().setContentType(contentType);
}
- request.getCoyoteRequest().method().setString(saved.getMethod());
+
+ request.getCoyoteRequest().method().setString(method);
request.getCoyoteRequest().queryString().setString
(saved.getQueryString());
@@ -599,20 +609,22 @@ public class FormAuthenticator
saved.addLocale(locale);
}
- if ("POST".equalsIgnoreCase(request.getMethod())) {
- // May need to acknowledge a 100-continue expectation
- request.getResponse().sendAcknowledgement();
-
- ByteChunk body = new ByteChunk();
- body.setLimit(request.getConnector().getMaxSavePostSize());
-
- byte[] buffer = new byte[4096];
- int bytesRead;
- InputStream is = request.getInputStream();
-
- while ( (bytesRead = is.read(buffer) ) >= 0) {
- body.append(buffer, 0, bytesRead);
- }
+ // May need to acknowledge a 100-continue expectation
+ request.getResponse().sendAcknowledgement();
+
+ ByteChunk body = new ByteChunk();
+ body.setLimit(request.getConnector().getMaxSavePostSize());
+
+ byte[] buffer = new byte[4096];
+ int bytesRead;
+ InputStream is = request.getInputStream();
+
+ while ( (bytesRead = is.read(buffer) ) >= 0) {
+ body.append(buffer, 0, bytesRead);
+ }
+
+ // Only save the request body if there is somethign to save
+ if (body.getLength() > 0) {
saved.setContentType(request.getContentType());
saved.setBody(body);
}
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties?rev=1181028&r1=1181027&r2=1181028&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
Mon Oct 10 15:44:14 2011
@@ -31,6 +31,7 @@ authenticator.userDataConstraint=This re
digestAuthenticator.cacheRemove=A valid entry has been removed from client
nonce cache to make room for new entries. A replay attack is now possible. To
prevent the possibility of replay attacks, reduce nonceValidity or increase
cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
formAuthenticator.forwardErrorFail=Unexpected error forwarding to error page
+formAuthenticator.forwardLogin=Forwarding request for [{0}] made with method
[{1}] to login page [{2}] of context [{3}] using request method GET
formAuthenticator.forwardLoginFail=Unexpected error forwarding to login page
formAuthenticator.noErrorPage=No error page was defined for FORM
authentication in context [{0}]
formAuthenticator.noLoginPage=No login page was defined for FORM
authentication in context [{0}]
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
