svn commit: r1493690 - /tomcat/trunk/res/findbugs/filter-false-positives.xml
Author: markt Date: Mon Jun 17 09:24:11 2013 New Revision: 1493690 URL: http://svn.apache.org/r1493690 Log: FindBugs false positives Modified: tomcat/trunk/res/findbugs/filter-false-positives.xml Modified: tomcat/trunk/res/findbugs/filter-false-positives.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/res/findbugs/filter-false-positives.xml?rev=1493690&r1=1493689&r2=1493690&view=diff == --- tomcat/trunk/res/findbugs/filter-false-positives.xml (original) +++ tomcat/trunk/res/findbugs/filter-false-positives.xml Mon Jun 17 09:24:11 2013 @@ -79,6 +79,16 @@ + + + + + + + + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1493691 - /tomcat/trunk/res/findbugs/filter-post-7.0.x-fixes.xml
Author: markt Date: Mon Jun 17 09:27:20 2013 New Revision: 1493691 URL: http://svn.apache.org/r1493691 Log: Any post-7.0.x issues can be fixed now in trunk Removed: tomcat/trunk/res/findbugs/filter-post-7.0.x-fixes.xml - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1493729 - in /tomcat/trunk: java/org/apache/catalina/authenticator/ java/org/apache/catalina/connector/ test/org/apache/catalina/authenticator/ test/org/apache/catalina/startup/
Author: markt
Date: Mon Jun 17 12:23:51 2013
New Revision: 1493729
URL: http://svn.apache.org/r1493729
Log:
Servlet 3.1 - Switch to using 303 rather than 302 redirects for HTTP/1.1
requests
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
tomcat/trunk/java/org/apache/catalina/connector/Response.java
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
tomcat/trunk/test/org/apache/catalina/startup/SimpleHttpClient.java
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1493729&r1=1493728&r2=1493729&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
Mon Jun 17 12:23:51 2013
@@ -32,6 +32,7 @@ import org.apache.catalina.Manager;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.coyote.ActionCode;
import org.apache.juli.logging.Log;
@@ -335,7 +336,17 @@ public class FormAuthenticator
response.sendRedirect(response.encodeRedirectURL(uri));
}
} else {
-response.sendRedirect(response.encodeRedirectURL(requestURI));
+// Until the Servlet API allows specifying the type of redirect to
+// use.
+Response internalResponse = request.getResponse();
+String location = response.encodeRedirectURL(requestURI);
+if ("HTTP/1.1".equals(request.getProtocol())) {
+internalResponse.sendRedirect(location,
+HttpServletResponse.SC_SEE_OTHER);
+} else {
+internalResponse.sendRedirect(location,
+HttpServletResponse.SC_FOUND);
+}
}
return false;
Modified: tomcat/trunk/java/org/apache/catalina/connector/Response.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Response.java?rev=1493729&r1=1493728&r2=1493729&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/connector/Response.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Response.java Mon Jun 17
12:23:51 2013
@@ -1244,7 +1244,15 @@ public class Response
@Override
public void sendRedirect(String location)
throws IOException {
+sendRedirect(location, SC_FOUND);
+}
+/**
+ * Internal method that allows a redirect to be sent with a status other
+ * than {@link HttpServletResponse#SC_FOUND} (302). No attempt is made to
+ * validate the status code.
+ */
+public void sendRedirect(String location, int status) throws IOException {
if (isCommitted()) {
throw new IllegalStateException
(sm.getString("coyoteResponse.sendRedirect.ise"));
@@ -1261,7 +1269,7 @@ public class Response
// Generate a temporary redirect to the specified location
try {
String absolute = toAbsolute(location);
-setStatus(SC_FOUND);
+setStatus(status);
setHeader("Location", absolute);
if (getContext().getSendRedirectBody()) {
PrintWriter writer = getWriter();
Modified:
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java?rev=1493729&r1=1493728&r2=1493729&view=diff
==
---
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
(original)
+++
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Mon Jun 17 12:23:51 2013
@@ -75,6 +75,9 @@ public class TestFormAuthenticator exten
protected static final boolean CLIENT_USE_COOKIES = true;
protected static final boolean CLIENT_NO_COOKIES = !CLIENT_USE_COOKIES;
+protected static final boolean CLIENT_USE_HTTP_11 = true;
+protected static final boolean CLIENT_USE_HTTP_10 = !CLIENT_USE_HTTP_11;
+
protected static final boolean SERVER_USE_COOKIES = true;
protected static final boolean SERVER_NO_COOKIES = !SERVER_USE_COOKIES;
@@ -236,6 +239,14 @@ public class TestFormAuthenticator exten
FormAuthClient.LOGIN_REQUIRED, 1);
}
+// HTTP 1.0 test
+@Test
+public void testGetWithCookiesHttp10() throws Exception {
+doTest("GET", "GET", NO_100_CONTINUE,
+CLIENT_USE_COOKIE
The future of Realm's allRolesMode
Servlet 3.1 has introduced the new special role of "**" to mean any authenticated user. With this new feature, Tomcat's allRolesMode attribute on the Realm is no longer necessary. My preference is to remove the allRolesMode attribute and supporting code in Tomcat 8. Are they any objections (with alternative plans)? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1493740 - /tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Author: markt
Date: Mon Jun 17 12:36:52 2013
New Revision: 1493740
URL: http://svn.apache.org/r1493740
Log:
Fix indents
Modified:
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Modified:
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java?rev=1493740&r1=1493739&r2=1493740&view=diff
==
---
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
(original)
+++
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Mon Jun 17 12:36:52 2013
@@ -596,26 +596,26 @@ public class TestFormAuthenticator exten
return fullPath;
}
-/*
- * extract the session id path element (if it exists in the given url)
- */
-private String extractPathSessionId(String url) {
-String sessionId = null;
-int iStart = url.indexOf(SESSION_PARAMETER_START);
-if (iStart > -1) {
-iStart += SESSION_PARAMETER_START.length();
-String remainder = url.substring(iStart);
-StringTokenizer parser =
-new StringTokenizer(remainder,
SESSION_PATH_PARAMETER_TAILS);
-if (parser.hasMoreElements()) {
-sessionId = parser.nextToken();
-}
-else {
-sessionId = url.substring(iStart);
+/*
+ * extract the session id path element (if it exists in the given url)
+ */
+private String extractPathSessionId(String url) {
+String sessionId = null;
+int iStart = url.indexOf(SESSION_PARAMETER_START);
+if (iStart > -1) {
+iStart += SESSION_PARAMETER_START.length();
+String remainder = url.substring(iStart);
+StringTokenizer parser = new StringTokenizer(remainder,
+SESSION_PATH_PARAMETER_TAILS);
+if (parser.hasMoreElements()) {
+sessionId = parser.nextToken();
+}
+else {
+sessionId = url.substring(iStart);
+}
}
+return sessionId;
}
-return sessionId;
-}
private void assertContains(String body, String expected) {
if (!body.contains(expected)) {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1493801 - in /tomcat/trunk: java/org/apache/catalina/authenticator/AuthenticatorBase.java test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Author: markt
Date: Mon Jun 17 15:00:56 2013
New Revision: 1493801
URL: http://svn.apache.org/r1493801
Log:
Servlet 3.1. If GET is not protected but other methods are, the redirect after
authentication (that now always uses a GET) fails. Because it is unprotected it
is not passed to the FORM authenticator for processing (where the original
request would be restored).
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1493801&r1=1493800&r2=1493801&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Mon Jun 17 15:00:56 2013
@@ -455,6 +455,36 @@ public abstract class AuthenticatorBase
}
}
+// Special handling for form-based logins to deal with the case where
+// a resource is protected for some HTTP methods but not protected for
+// GET which is used after authentication when redirecting to the
+// protected resource.
+// TODO: This is similar to the FormAuthenticator.matchRequest() logic
+// Is there a way to remove the duplication?
+Session session = request.getSessionInternal(false);
+if (session != null) {
+SavedRequest savedRequest =
+(SavedRequest)
session.getNote(Constants.FORM_REQUEST_NOTE);
+if (savedRequest != null) {
+String decodedRequestURI = request.getDecodedRequestURI();
+if (decodedRequestURI != null &&
+decodedRequestURI.equals(
+savedRequest.getDecodedRequestURI())) {
+if (!authenticate(request, response)) {
+if (log.isDebugEnabled()) {
+log.debug(" Failed authenticate() test");
+}
+/*
+ * ASSERT: Authenticator already set the appropriate
+ * HTTP status code, so we do not have to do anything
+ * special
+ */
+return;
+}
+}
+}
+}
+
// The Servlet may specify security constraints through annotations.
// Ensure that they have been processed before constraints are checked
Wrapper wrapper = request.getMappingData().wrapper;
Modified:
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java?rev=1493801&r1=1493800&r2=1493801&view=diff
==
---
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
(original)
+++
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Mon Jun 17 15:00:56 2013
@@ -17,9 +17,16 @@
package org.apache.catalina.authenticator;
import java.io.File;
+import java.io.IOException;
import java.util.List;
import java.util.StringTokenizer;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
@@ -28,8 +35,12 @@ import org.junit.Test;
import org.apache.catalina.Context;
import org.apache.catalina.Valve;
import org.apache.catalina.deploy.ApplicationListener;
+import org.apache.catalina.deploy.LoginConfig;
+import org.apache.catalina.deploy.SecurityCollection;
+import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.startup.SimpleHttpClient;
import org.apache.catalina.startup.TestTomcat.MapRealm;
+import org.apache.catalina.startup.TesterServlet;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.startup.TomcatBaseTest;
import org.apache.tomcat.websocket.server.WsListener;
@@ -247,6 +258,43 @@ public class TestFormAuthenticator exten
CLIENT_USE_HTTP_10);
}
+
+@Test
+public void doTestSelectedMethods() throws Exception {
+
+FormAuthClientSelectedMethods client =
+new FormAuthClientSelectedMethods(true, true, true, true);
+
+// First request for protected resource gets the login page
+client.doResourceRequest("PUT", true, "/test?" +
+SelectedMethodsServlet.PARAM + "="
Re: svn commit: r1493801 - in /tomcat/trunk: java/org/apache/catalina/authenticator/AuthenticatorBase.java test/org/apache/catalina/authenticator/TestFormAuthenticator.java
On 17/06/2013 16:00, ma...@apache.org wrote: Author: markt Date: Mon Jun 17 15:00:56 2013 New Revision: 1493801 URL: http://svn.apache.org/r1493801 Log: Servlet 3.1. If GET is not protected but other methods are, the redirect after authentication (that now always uses a GET) fails. Because it is unprotected it is not passed to the FORM authenticator for processing (where the original request would be restored). Need to check how Tomcat 7.0.x handles this. It might be different because of the 302/303 differences but I suspect not. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: MD5Encoder.encode versus HexUtils.toHexString
Mark,
On 6/16/13 12:04 PM, Mark Thomas wrote:
> On 15/06/2013 16:39, Christopher Schultz wrote:
>> All,
>>
>> While looking into a patch for BasicRealm, I noticed that there are two
>> classes that convert byte[] to a hex-encoded string (e.g. byte[] { 1, 2,
>> a, b ] -> "12ab"): HexUtils and MD5Encoder.
>
> That isn't what those methods do. There are 2 output characters for each
> input byte.
Sorry... I was trying to type quickly. That should have been "01020a0b"
for the given input.
>> MD5Encoder only has a single method (encode) and it does exactly what
>> HexUtils.toHexString does, except that it only works for exactly 16-byte
>> arrays.
>
> Agreed.
>
>> I haven't actually written any performance tests, but looking at the
>> code it seems that HexUtils.toHexString would execute slightly faster
>> for a 16-byte array because of repeated integer multiplication in the loop.
>
> I'd want to see some hard numbers on both methods before making are
> decisions based on performance.
I'll write some micro benchmarks and post the results.
>> Is there a reason for MD5Encoder to exist? It appears only to be used in
>> the following classes:
>>
>> RealmBase
>> DigestAuthenticator
>> WebdavServlet
>
> The check that the input is exactly 16 bytes might be a useful one in
> that it confirms other code is behaving as expected.
We /could/ make the check and then delegate to the general-purpose
method. We'll check the difference between the performance: if a
special-purpose method has a significant advantage, it may be worth
leaving it separate.
How often do we expect these methods to be called? In pathological
cases, are these methods called with every request? If we are taking
about a once-per-session operation, then performance is less of a
concern IMO.
>> Although I suppose a specialty 16-byte-only method might be written to
>> be slightly faster than the general-purpose HexUtils.toHexString method,
>> I'm not sure it's worth having a separate class/method to do it.
>>
>> Any objections to using HexUtils.toHexString uniformly and removing the
>> MD5Encoder class entirely?
>
> In Tomcat 8, no objections here.
>
> In Tomcat 7, MD5Encoder will have to remain but be deprecated.
Okay. Assuming that I do commit a patch, I'll back-port the switch to
HexUtils but not the removal of the MD5Encoder class (as you have done
similar patche/back-port pairs when removing classes/methods from TC8).
Thanks,
-chris
signature.asc
Description: OpenPGP digital signature
Re: MD5Encoder.encode versus HexUtils.toHexString
Chris,
On 6/17/13 11:38 AM, Christopher Schultz wrote:
>> Mark Thomas wrote
>>> I haven't actually written any performance tests, but looking at the
>>> code it seems that HexUtils.toHexString would execute slightly faster
>>> for a 16-byte array because of repeated integer multiplication in the loop.
>>
>> I'd want to see some hard numbers on both methods before making are
>> decisions based on performance.
>
> I'll write some micro benchmarks and post the results.
Here's what I got for 10 runs in the same JVM run. Code at the bottom.
Looks like a dead heat, but I got all kinds of data all over the
place... sometimes HexUtils really beats MD5Encoder badly and sometimes
the opposite.
MD5Encoder HexUtil
495ms 409ms
397ms 396ms
401ms 401ms
401ms 398ms
403ms 401ms
398ms 400ms
400ms 405ms
402ms 401ms
398ms 413ms
400ms 395ms
I'll see if I can tweak each of the implementations -- I think there is
an improvement or two that can be made.
-chris
PS the code:
import org.apache.catalina.util.MD5Encoder;
import org.apache.tomcat.util.buf.HexUtils;
public class DigestEncoderPerfTest
{
static MD5Encoder md5encoder = new MD5Encoder();
public static void main(String[] args)
throws Exception
{
final byte[] testBytes = "thisisatestABCDE".getBytes("US-ASCII");
final long iterations = 1000;
final int times = 10;
// Warm-up the JIT
testMD5Encoder(10, testBytes);
testHexEncoder(10, testBytes);
testMD5Encoder(10, testBytes);
testHexEncoder(10, testBytes);
testMD5Encoder(10, testBytes);
testHexEncoder(10, testBytes);
long elapsed;
System.out.println("MD5Encoder\tHexUtil");
for(int i=0; i
signature.asc
Description: OpenPGP digital signature
[Bug 55108] New: Wasted work in "AbstractReplicatedMap.excludeFromSet"
https://issues.apache.org/bugzilla/show_bug.cgi?id=55108 Bug ID: 55108 Summary: Wasted work in "AbstractReplicatedMap.excludeFromSet" Product: Tomcat 7 Version: 7.0.41 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: nist...@illinois.edu Created attachment 30448 --> https://issues.apache.org/bugzilla/attachment.cgi?id=30448&action=edit patch The problem appears in version 7.0.41 and in revision 1493861. I attached a one-line patch that fixes it. In method "AbstractReplicatedMap.excludeFromSet", the loop over "mbrs" should break immediately after "include" is set to "false". All the iterations after "include" is set to "false" do not perform any useful work, at best they just set "include" again to "false". Method "inSet" in the same class "AbstractReplicatedMap" (right above the definition of "excludeFromSet") has a similar loop (over "set"), and this loop breaks immediately after "result" is set to "true", just like in the proposed patch. Other methods (e.g., "MapperListener.findDefaultHost", "CollectVisitor.checkSeen", "JspDocumentParser.processChars", "ParameterParser.isOneOf") also have similar loops with similar breaks, just like in the proposed patch. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55108] Wasted work in "AbstractReplicatedMap.excludeFromSet"
https://issues.apache.org/bugzilla/show_bug.cgi?id=55108 Adrian Nistor changed: What|Removed |Added Keywords||PatchAvailable CC||nist...@illinois.edu -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55109] New: Wasted work in "WebdavServlet.isLocked"
https://issues.apache.org/bugzilla/show_bug.cgi?id=55109 Bug ID: 55109 Summary: Wasted work in "WebdavServlet.isLocked" Product: Tomcat 7 Version: 7.0.41 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: nist...@illinois.edu Created attachment 30449 --> https://issues.apache.org/bugzilla/attachment.cgi?id=30449&action=edit patch The problem appears in version 7.0.41 and in revision 1493861. I attached a two-line patch that fixes it. In method "WebdavServlet.isLocked", the two loops over "tokenList" should break immediately after "tokenMatch" is set to "true". All the iterations after "tokenMatch" is set to "true" do not perform any useful work, at best they just set "tokenMatch" again to "true". Method "startInternal" in class "StandardHost" has a similar loop (over "valves"), and this loop breaks immediately after "found" is set to "true", just like in the proposed patch. Other methods (e.g., "MapperListener.findDefaultHost", "CollectVisitor.checkSeen", "JspDocumentParser.processChars", "ParameterParser.isOneOf") also have similar loops with similar breaks, just like in the proposed patch. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55109] Wasted work in "WebdavServlet.isLocked"
https://issues.apache.org/bugzilla/show_bug.cgi?id=55109 Adrian Nistor changed: What|Removed |Added Keywords||PatchAvailable CC||nist...@illinois.edu -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55110] New: Wasted work in "TestNonLoginAndBasicAuthenticator.doTestBasic"
https://issues.apache.org/bugzilla/show_bug.cgi?id=55110 Bug ID: 55110 Summary: Wasted work in "TestNonLoginAndBasicAuthenticator.doTestBasic" Product: Tomcat 7 Version: 7.0.41 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: nist...@illinois.edu Created attachment 30450 --> https://issues.apache.org/bugzilla/attachment.cgi?id=30450&action=edit patch The problem appears in version 7.0.41 and in revision 1493861. I attached a one-line patch (patch.diff) that fixes it. In method "TestNonLoginAndBasicAuthenticator.doTestBasic", the loop over "authHeaders" should break immediately after "methodFound" is set to "true". All the iterations after "methodFound" is set to "true" do not perform any useful work, at best they just set "methodFound" again to "true". Method "TestWsWebSocketContainer.testSessionExpiryContainer" has a similar problem (the loop over "setA" should break immediately after "isOpen" is set to true). I attached another one-line patch (patch2.diff) for this problem. Method "startInternal" in class "StandardHost" has a similar loop (over "valves"), and this loop breaks immediately after "found" is set to "true", just like in the proposed patches. Other methods (e.g., "MapperListener.findDefaultHost", "CollectVisitor.checkSeen", "JspDocumentParser.processChars", "ParameterParser.isOneOf") also have similar loops with similar breaks, just like in the proposed patches. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55110] Wasted work in "TestNonLoginAndBasicAuthenticator.doTestBasic"
https://issues.apache.org/bugzilla/show_bug.cgi?id=55110 --- Comment #1 from Adrian Nistor --- Created attachment 30451 --> https://issues.apache.org/bugzilla/attachment.cgi?id=30451&action=edit patch2 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55110] Wasted work in "TestNonLoginAndBasicAuthenticator.doTestBasic"
https://issues.apache.org/bugzilla/show_bug.cgi?id=55110 Adrian Nistor changed: What|Removed |Added Keywords||PatchAvailable CC||nist...@illinois.edu -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1493908 - in /tomcat/tc7.0.x/trunk: ./ test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Author: markt
Date: Mon Jun 17 19:57:41 2013
New Revision: 1493908
URL: http://svn.apache.org/r1493908
Log:
Fix indents
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Propchange: tomcat/tc7.0.x/trunk/
--
Merged /tomcat/trunk:r1493740
Modified:
tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java?rev=1493908&r1=1493907&r2=1493908&view=diff
==
---
tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
(original)
+++
tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Mon Jun 17 19:57:41 2013
@@ -556,26 +556,26 @@ public class TestFormAuthenticator exten
return fullPath;
}
-/*
- * extract the session id path element (if it exists in the given url)
- */
-private String extractPathSessionId(String url) {
-String sessionId = null;
-int iStart = url.indexOf(SESSION_PARAMETER_START);
-if (iStart > -1) {
-iStart += SESSION_PARAMETER_START.length();
-String remainder = url.substring(iStart);
-StringTokenizer parser =
-new StringTokenizer(remainder,
SESSION_PATH_PARAMETER_TAILS);
-if (parser.hasMoreElements()) {
-sessionId = parser.nextToken();
-}
-else {
-sessionId = url.substring(iStart);
+/*
+ * extract the session id path element (if it exists in the given url)
+ */
+private String extractPathSessionId(String url) {
+String sessionId = null;
+int iStart = url.indexOf(SESSION_PARAMETER_START);
+if (iStart > -1) {
+iStart += SESSION_PARAMETER_START.length();
+String remainder = url.substring(iStart);
+StringTokenizer parser = new StringTokenizer(remainder,
+SESSION_PATH_PARAMETER_TAILS);
+if (parser.hasMoreElements()) {
+sessionId = parser.nextToken();
+}
+else {
+sessionId = url.substring(iStart);
+}
}
+return sessionId;
}
-return sessionId;
-}
private void assertContains(String body, String expected) {
if (!body.contains(expected)) {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1493910 - /tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Author: markt
Date: Mon Jun 17 20:07:01 2013
New Revision: 1493910
URL: http://svn.apache.org/r1493910
Log:
Make base class abstract
Modified:
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Modified:
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java?rev=1493910&r1=1493909&r2=1493910&view=diff
==
---
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
(original)
+++
tomcat/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Mon Jun 17 20:07:01 2013
@@ -421,7 +421,7 @@ public class TestFormAuthenticator exten
* Encapsulate the logic needed to run a suitably-configured tomcat
* instance, send it an HTTP request and process the server response
*/
-private class FormAuthClientBase extends SimpleHttpClient {
+private abstract class FormAuthClientBase extends SimpleHttpClient {
protected static final String LOGIN_PARAM_TAG = "action=";
protected static final String LOGIN_RESOURCE = "j_security_check";
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1493918 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/authenticator/AuthenticatorBase.java test/org/apache/catalina/authenticator/TestFormAuthenticator.java webapps/docs/changel
Author: markt
Date: Mon Jun 17 20:17:03 2013
New Revision: 1493918
URL: http://svn.apache.org/r1493918
Log:
If GET is not protected but other methods are, the redirect after
authentication (that normally uses GET) fails. Because it is unprotected it is
not passed to the FORM authenticator for processing (where the original request
would be restored).
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
--
Merged /tomcat/trunk:r1493801,1493910
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1493918&r1=1493917&r2=1493918&view=diff
==
---
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Mon Jun 17 20:17:03 2013
@@ -454,6 +454,36 @@ public abstract class AuthenticatorBase
}
}
+// Special handling for form-based logins to deal with the case where
+// a resource is protected for some HTTP methods but not protected for
+// GET which is used after authentication when redirecting to the
+// protected resource.
+// TODO: This is similar to the FormAuthenticator.matchRequest() logic
+// Is there a way to remove the duplication?
+Session session = request.getSessionInternal(false);
+if (session != null) {
+SavedRequest savedRequest =
+(SavedRequest)
session.getNote(Constants.FORM_REQUEST_NOTE);
+if (savedRequest != null) {
+String decodedRequestURI = request.getDecodedRequestURI();
+if (decodedRequestURI != null &&
+decodedRequestURI.equals(
+savedRequest.getDecodedRequestURI())) {
+if (!authenticate(request, response)) {
+if (log.isDebugEnabled()) {
+log.debug(" Failed authenticate() test");
+}
+/*
+ * ASSERT: Authenticator already set the appropriate
+ * HTTP status code, so we do not have to do anything
+ * special
+ */
+return;
+}
+}
+}
+}
+
// The Servlet may specify security constraints through annotations.
// Ensure that they have been processed before constraints are checked
Wrapper wrapper = (Wrapper) request.getMappingData().wrapper;
Modified:
tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java?rev=1493918&r1=1493917&r2=1493918&view=diff
==
---
tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
(original)
+++
tomcat/tc7.0.x/trunk/test/org/apache/catalina/authenticator/TestFormAuthenticator.java
Mon Jun 17 20:17:03 2013
@@ -17,9 +17,16 @@
package org.apache.catalina.authenticator;
import java.io.File;
+import java.io.IOException;
import java.util.List;
import java.util.StringTokenizer;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
@@ -27,8 +34,12 @@ import org.junit.Test;
import org.apache.catalina.Context;
import org.apache.catalina.Valve;
+import org.apache.catalina.deploy.LoginConfig;
+import org.apache.catalina.deploy.SecurityCollection;
+import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.startup.SimpleHttpClient;
import org.apache.catalina.startup.TestTomcat.MapRealm;
+import org.apache.catalina.startup.TesterServlet;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.startup.TomcatBaseTest;
@@ -234,6 +245,43 @@ public class TestFormAuthenticator exten
FormAuthClient.LOGIN_REQUIRED, 1);
}
+
+@Test
+public void doTestSelectedMethods() throws Exception {
+
+FormAuthClientSelectedMethods client =
+new Fo
svn commit: r1493927 - /tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java
Author: markt
Date: Mon Jun 17 20:37:33 2013
New Revision: 1493927
URL: http://svn.apache.org/r1493927
Log:
Make addAuthRole() and removeAuthRole() consistent
Modified:
tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java
Modified: tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java?rev=1493927&r1=1493926&r2=1493927&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/deploy/SecurityConstraint.java Mon
Jun 17 20:37:33 2013
@@ -201,10 +201,12 @@ public class SecurityConstraint implemen
if (authRole == null)
return;
+
if ("*".equals(authRole)) {
allRoles = true;
return;
}
+
String results[] = new String[authRoles.length + 1];
for (int i = 0; i < authRoles.length; i++)
results[i] = authRoles[i];
@@ -338,6 +340,12 @@ public class SecurityConstraint implemen
if (authRole == null)
return;
+
+if ("*".equals(authRole)) {
+allRoles = false;
+return;
+}
+
int n = -1;
for (int i = 0; i < authRoles.length; i++) {
if (authRoles[i].equals(authRole)) {
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
