changelog.xml

markt Mon, 27 Aug 2012 14:28:54 -0700

Author: markt
Date: Mon Aug 27 21:28:04 2012
New Revision: 1377878

URL: http://svn.apache.org/viewvc?rev=1377878&view=rev
Log:
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53584
Ignore path parameters when comparing URIs for FORM authentication. This 
prevents users being prompted twice for passwords when logging in when session 
IDs are being encoded as path parameters.


Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt
    
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
    
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/SavedRequest.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1377878&r1=1377877&r2=1377878&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Mon Aug 27 21:28:04 2012
@@ -136,16 +136,6 @@ PATCHES PROPOSED TO BACKPORT:
   +1: kfujino, kkolinko
   -1:
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53584
-  Ignore path parameters when comparing URIs for FORM authentication. This
-  prevents users being prompted twice for passwords when logging in when 
session
-  IDs are being encoded as path parameters.
-  http://svn.apache.org/viewvc?rev=1370537&view=rev
-  http://svn.apache.org/viewvc?rev=1372390&view=rev (addresses kkolinko's -1)
-  +1: markt, schultz
-  +1: kkolinko (OK, my concerns were addressed)
-  -1:
-
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53481
   Add support for SSLHonorCipherOrder
   http://svn.apache.org/viewvc?view=revision&revision=1371298

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1377878&r1=1377877&r2=1377878&view=diff
==============================================================================
--- 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
 (original)
+++ 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
 Mon Aug 27 21:28:04 2012
@@ -397,11 +397,11 @@ public class FormAuthenticator
           return (false);
 
       // Does the request URI match?
-      String requestURI = request.getRequestURI();
-      if (requestURI == null)
+      String decodedRequestURI = request.getDecodedRequestURI();
+      if (decodedRequestURI == null) {
           return (false);
-      return (requestURI.equals(sreq.getRequestURI()));
-
+      }
+      return (decodedRequestURI.equals(sreq.getDecodedRequestURI()));
     }
 
 
@@ -547,6 +547,7 @@ public class FormAuthenticator
         saved.setMethod(request.getMethod());
         saved.setQueryString(request.getQueryString());
         saved.setRequestURI(request.getRequestURI());
+        saved.setDecodedRequestURI(request.getDecodedRequestURI());
 
         // Stash the SavedRequest in our session for later use
         session.setNote(Constants.FORM_REQUEST_NOTE, saved);

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/SavedRequest.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/SavedRequest.java?rev=1377878&r1=1377877&r2=1377878&view=diff
==============================================================================
--- 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/SavedRequest.java 
(original)
+++ 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/SavedRequest.java 
Mon Aug 27 21:28:04 2012
@@ -169,6 +169,21 @@ public final class SavedRequest {
 
     
     /**
+     * The decode request URI associated with this Request. Path parameters are
+     * also excluded
+     */
+    private String decodedRequestURI = null;
+
+    public String getDecodedRequestURI() {
+        return (this.decodedRequestURI);
+    }
+
+    public void setDecodedRequestURI(String decodedRequestURI) {
+        this.decodedRequestURI = decodedRequestURI;
+    }
+
+
+    /**
      * The body of this request.
      */
     private ByteChunk body = null;

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1377878&r1=1377877&r2=1377878&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Mon Aug 27 21:28:04 2012
@@ -180,6 +180,12 @@
         serializable so that it can be replicated across a cluster and/or
         persisted across Tomcat restarts. (markt)
       </fix>
+      <fix>
+        <bug>53584</bug>: Ignore path parameters when comparing URIs for FORM
+        authentication. This prevents users being prompted twice for passwords
+        when logging in when session IDs are being encoded as path parameters.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r1377878 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/catalina/authenticator/FormAuthenticator.java java/org/apache/catalina/authenticator/SavedRequest.java webapps/docs/changelog.xml

Reply via email to