Bug 52606

Summary: FORM authentication POST replay broken for AJP
Product: Tomcat 6 Reporter: Konstantin Kolinko <knst.kolinko>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Severity: regression    
Priority: P2    
Version: 6.0.35   
Target Milestone: default   
Hardware: PC   
OS: Windows XP   

Description Konstantin Kolinko 2012-02-05 18:10:19 UTC
Reported and discussed in the following thread on users@:
"Form Authentication POST data not preserved?"

This supposedly has the same trigger as the issue reported in Comment 9 in bug 51940 [3], that is consuming the body of the original request before replacing it.

[3] https://issues.apache.org/bugzilla/show_bug.cgi?id=51940#c9

In AbstractAjpProcessor$SocketInputBuffer#doRead() there is a check for "endOfStream" flag. If the flag is set the method returns immediately and does not use the bodyBytes field that was initialized to replay the body.

The fix is to add the following line to "REQ_SET_BODY_REPLAY" case in
AbstractAjpProcessor#action(), as confirmed on the users@ thread:

  endOfStream = false;

In 6.0.x implementation of AjpProcessor$SocketInputBuffer and of replay action is the same, but I have not tested whether this bug can be triggered there or not.
Comment 1 Mark Thomas 2012-02-08 17:23:56 UTC
Fixed in trunk and 7.0.x and will be included in 7.0.26 onwards.

Proposed for 6.0.x. I didn't test it but I can't see how it could work without this patch.
Comment 2 Mark Thomas 2012-03-20 21:52:31 UTC
Fixed in 6.0.x and will be included in 6.0.36 onwards.