DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12549>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12549 j_security_check is not handled correctly when authenticated Summary: j_security_check is not handled correctly when authenticated Product: Tomcat 4 Version: 4.0.3 Final Platform: All OS/Version: All Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] The problem occurs when someone attempts to access j_security_check but is already authenticated. >From org.apache.catalina.authenticator.AuthenticatorBase: // Special handling for form-based logins to deal with the case // where the login form (and therefore the "j_security_check" URI // to which it submits) might be outside the secured area String contextPath = this.context.getPath(); String requestURI = hrequest.getDecodedRequestURI(); 1: if (requestURI.startsWith(contextPath) && requestURI.endsWith(Constants.FORM_ACTION)) { 2: if (!authenticate(hrequest, hresponse, config)) { if (debug >= 1) log(" Failed authenticate() test"); 3: return; } 4: } In (1) the code matches any request to j_security_check, which triggers a call to authenticate at (2). In a new request to process a form login, authenticate() (in FormAuthenticator) will process the login and (if succesful) it will set a redirect to the original request (which had been saved) and return FALSE. This ends the processing at (3), the redirect is later processed and all is well. However, if the user is already authenticated authenticate() simply return TRUE so the code reaches (4) where no action is taken and we fall out of the special-case block for j_security_check. Then the request processing continues as if it were a regular page request, which of course results in a 404. (Note that the debug message is also incorrect after (2) since here FALSE can be a success case). -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
