| Summary: | Different redirect behaviour when accessing path without a / | ||
|---|---|---|---|
| Product: | Tomcat 8 | Reporter: | per.lewau |
| Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | dushkin |
| Priority: | P2 | ||
| Version: | 8.0.29 | ||
| Target Milestone: | ---- | ||
| Hardware: | PC | ||
| OS: | All | ||
|
Description
per.lewau
2015-11-27 09:02:31 UTC
Read the change log. The change in where processing takes place is intentional but the end result should have been the same. Need to look at what is going on for the context root. This is reproducible in Tomcat 7.0.66 (release candidate) as well. Tomcat 8.0.29 - Workaround: In conf/context.xml set the following attribute: <Context mapperContextRootRedirectEnabled="true"> Tomcat 7.0.66 (release candidate) - The workaround does not work. The cause is that MapperListener calls wrong (deprecated) version of mapper.addContextVersion() method and does not pass the flags to the Mapper. Specifically for the context root, the default behavior could be to redirect in the mapper (mapperContextRootRedirectEnabled could be true). I'm neutral on the default behaviour for context root redirects but either way the current issue needs to be fixed. I'm currently working on this. Well, I messed up as well, since I was certain this was fine (the code change in the default servlet should have redirected the root path as far as I am concerned), although my own patch never removed the "" -> "/" redirect in the mapper of course. One more place that fails - a FormAuthenticator if it is configured to a web application as a whole and if its authentication form uses a relative URL to j_security_check, like the examples app does.
8.0.29
1. In webapps/examples/WEB-INF/web.xml
In <security-constraint> elements (there are 2 of them) replace
<url-pattern>/jsp/security/protected/*</url-pattern>
with
<url-pattern>/*</url-pattern>
2. In conf/tomcat-users.xml uncomment test users.
3. Start Tomcat
4. Go to http://localhost:8080/examples
A login form is displayed.
5. Type in user name and password (as configured in conf/tomcat-users.xml)
6. The login form sends POST request to
http://localhost:8080/j_security_check;jsessionid=<...>
This fails with 404, because request goes to a wrong web application (ROOT, not examples).
One more area of concern: anything that sets a cookie before a redirect happens. See "sessionCookiePathUsesTrailingSlash" option on Context.
(FormAuthenticator is an example here as well, but as I wrote above there is a more serious issue with it.)
Well, since we think everything else works, then the easiest/safest is to unconditionally add back the root path redirect in the mapper. You say that just as I think I have put together a fix. Happy to change the default but I'd like to keep the option of having the Default Servlet do the redirect The issue is probably that the mapper rewrites (for mapping purposes I think) a "no servlet path" as "/", and the default servlet has no way to know this happened. If I remove this rewrite code, it doesn't work any better though. If you make the root path redirection in default servlet completely functional, then I'd say it's fine to keep the option (even enabled by default), but otherwise ... If it is acked avoiding the root path redirect in the mapper is not something mandatory, it should be possible to add it back and remove the configuration option for now to resolve the regression, and work on it for the next release. That is exactly the issue I have been working through. I think I have it solved for the Default Servlet. I'm currently working on issue with FORM login at the context root that Konstantin highlighted. I've committed my first pass at a fix for this to 9.0.x. Please test and I'll work on a 8.0.x release as soon as we are happy with this. At this point I'm still neutral on what the default should be for mapperContextRootRedirectEnabled. I think Remy is in favor of it being true. Any other views? Testing looks ok (but I probably tested the same things you did). I would have preferred not adding the root path redirect flag though. I think there are valid use cases for the flag so I'd like to keep it but I'd be happy to change the default. I found a few issues with my first pass which I have now fixed. I'm currently thinking more testing now and over the weekend with a back-port to 8.0.x towards the end of the weekend and tag on Monday. *** Bug 58665 has been marked as a duplicate of this bug. *** Fixed in 9.0.x (for 9.0.0.M2 onwards), 8.0.x (for 8.0.30 onwards), 7.0.x (for 7.0.67 onwards) and 6.0.x (for 6.0.45 onwards). Hi, this defect is still reproducible in 8.0.30. Is it really fixed or should I use mapperContextRootRedirectEnabled parameter? It is unclear from dev discussion about solution. This issue is fixed in 8.0.30 Bugzilla is not a support. If you have questions, please use the users' mailing list. If that discussion identifies a further regression then this can be re-opened. I've just reproduced following case in 8.0.30 (8.0.28 is ok):
Steps:
1. Download Tomcat installation
2. Open webapps/examples/WEB-INF/web.xml folder
3. Change lines:
<servlet-mapping>
<servlet-name>ChatServlet</servlet-name>
<url-pattern>/servlets/chat/chat</url-pattern>
</servlet-mapping>
to
<servlet-mapping>
<servlet-name>ChatServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
5. Open http://localhost:8080/examples?key=param
Expected result:
Server returns response with status 302 to redirect user to http://localhost:8080/examples/?key=param and then to http://localhost:8080/examples/login.jsp
Actual result:
Server returns response with status 302 to redirect user to http://localhost:8080/login.jsp
That behaviour is expected in 8.0.30. The ChatServlet isn't written to handle reuqests to the root of the context that don't have a trailing slash. Whether it should or not is open to debate. The default for mapperContextRootRedirectEnabled has changed for back to the pre 8.0.29 behaviour for 8.0.31 onward. (In reply to Mark Thomas from comment #21) > That behaviour is expected in 8.0.30. The ChatServlet isn't written to > handle reuqests to the root of the context that don't have a trailing slash. > Whether it should or not is open to debate. > > The default for mapperContextRootRedirectEnabled has changed for back to the > pre 8.0.29 behaviour for 8.0.31 onward. Ok, so I'll just set to "true" mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled, to restore old behavior and not bother about default values. BTW, in changelog (https://tomcat.apache.org/tomcat-8.0-doc/changelog.html) it's said: "Move the functionality that provides redirects for context roots and directories where a trailing / is added from the Mapper to the DefaultServlet." And in "context config" (https://tomcat.apache.org/tomcat-8.0-doc/config/context.html) the description of mapperContextRootRedirectEnabled is following: "If enabled, requests for a web application context root will be redirected (adding a trailing slash) if necessary by the Mapper rather than the default Servlet.". I suppose, you need to update "context config" given that redirect functionality is now only in DefaultServlet. Hi I saw the issue is marked as fixed in 7.0.67/8.0.30 changelog. However as I tried to set mapperContextRootRedirectEnabled=true (in the latest version 7, 8.0.73) to restore the behavior in the previous releases, the url without a trailing slash still doesn't work (404). So I would like to check if anyone find the parameter mapperContextRootRedirectEnabled really works. |