Author: markt
Date: Thu Aug 30 22:59:07 2012
New Revision: 1379208
URL: http://svn.apache.org/viewvc?rev=1379208&view=rev
Log:
Overlapping URL patterns were sometimes merged incorrectly in security
constraints leading to incorrect 401 responses. Note: it was possible for
access to be denied when it should have been granted but it was not possible
for access to be granted when it should have been denied.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1379206
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java?rev=1379208&r1=1379207&r2=1379208&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java Thu Aug
30 22:59:07 2012
@@ -659,14 +659,15 @@ public abstract class RealmBase extends
}
}
if(matched) {
- found = true;
if(length > longest) {
+ found = false;
if(results != null) {
results.clear();
}
longest = length;
}
if(collection[j].findMethod(method)) {
+ found = true;
if(results == null) {
results = new ArrayList<SecurityConstraint>();
}
@@ -790,7 +791,7 @@ public abstract class RealmBase extends
*/
private SecurityConstraint [] resultsToArray(
ArrayList<SecurityConstraint> results) {
- if(results == null) {
+ if(results == null || results.size() == 0) {
return null;
}
SecurityConstraint [] array = new SecurityConstraint[results.size()];
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1379208&r1=1379207&r2=1379208&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu Aug 30 22:59:07 2012
@@ -190,6 +190,13 @@
correct paths for subdirectories. Patch provided by Kevin Wooten.
(kkolinko)
</fix>
+ <fix>
+ <bug>53801</bug>: Overlapping URL patterns were sometimes merged
+ incorrectly in security constraints leading to incorrect 401 responses.
+ Note: it was possible for access to be denied when it should have been
+ granted but it was not possible for access to be granted when it should
+ have been denied. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
