DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24197>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24197 adding an extra slash in a mod_jk url circumvents tomcat (form) login authentication Summary: adding an extra slash in a mod_jk url circumvents tomcat (form) login authentication Product: Tomcat 4 Version: 4.1.27 Platform: All URL: http://(on request) OS/Version: All Status: NEW Severity: Major Priority: Other Component: Connector:JK/AJP (deprecated) AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Assume some.host:8009 with webapp 'webapp' is JkMounted on http://some.host/webapp/*. If you request a file (e.g. http://some.host/webapp/private.jsp) protected by a security-constraint in the web.xml file, normally a password prompt would appear. However, if you type http://some.host/webapp//private.jsp in your browser's address bar, you can view the page, but as a user with no role. This problem doesn't occur if you try tomcat's http/1.1 connector with an extra slash. Tested with FreeBSD 4.8, RedHat 8, mod_jk 1.1.0, mod_jk 1.2.4, mod_jk 1.2.5, tomcat 4.1.12, tomcat 4.1.27, apache 1.3.28. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
