Author: markt
Date: Thu Aug 30 22:55:20 2012
New Revision: 1379206
URL: http://svn.apache.org/viewvc?rev=1379206&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53801
Overlapping URL patterns were sometimes merged incorrectly in security
constraints leading to incorrect 401 responses. Note: it was possible for
access to be denied when it should have been granted but it was not possible
for access to be granted when it should have been denied.
Modified:
tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
Modified: tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1379206&r1=1379205&r2=1379206&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/realm/RealmBase.java Thu Aug 30
22:55:20 2012
@@ -629,14 +629,15 @@ public abstract class RealmBase extends
}
}
if(matched) {
- found = true;
if(length > longest) {
+ found = false;
if(results != null) {
results.clear();
}
longest = length;
}
if(collection[j].findMethod(method)) {
+ found = true;
if(results == null) {
results = new ArrayList<>();
}
@@ -760,7 +761,7 @@ public abstract class RealmBase extends
*/
private SecurityConstraint [] resultsToArray(
ArrayList<SecurityConstraint> results) {
- if(results == null) {
+ if(results == null || results.size() == 0) {
return null;
}
SecurityConstraint [] array = new SecurityConstraint[results.size()];
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
