Bug 51453 - Requests to open URL that include an Authorization header do not reach servlet
Requests to open URL that include an Authorization header do not reach servlet
Status: RESOLVED FIXED
Product: Tomcat 7
Classification: Unclassified
Component: Catalina
7.0.16
PC Linux
: P2 regression (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2011-06-30 14:10 UTC by Craig Chaney
Modified: 2011-07-14 15:47 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Craig Chaney 2011-06-30 14:10:50 UTC
In Tomcat 7, I've noticed that a request to a URL that does not require authentication will get forwarded to the login page if the request contains an "Authorization" header.

Our application expects these requests to be processed by the servlet.  The servlet parses the Authorization header and takes appropriate action (possibly redirecting to the login page or allowing the request if the headers contain an acceptible token).  This has worked in older versions of Tomcat.

The relevant part of our web.xml looks like:

<security-constraint>

  <web-resource-collection>
    <web-resource-name>open</web-resource-name>
    <url-pattern>/*</url-pattern>
    <!-- several other url patterns -->
  </web-resource-collection>

  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>

  <!-- Notice no auth-constraint element -->

</security-constraint>

I observed the behavior of org.apache.catalina.authenticator.AuthenticatorBase.invoke(), here's what I saw:

The constraints variable contains a single constraint that matches the security constraint from our web.xml above.

On line 520, authRequired is set to true because of the presence of the Authorization header.

The authenticate() call on line 535 fails and redirects to the login page.
Comment 1 Konstantin Kolinko 2011-06-30 15:14:57 UTC
Please provide a simple sample web application that demonstrates this issue.

Your snippet of web.xml is incomplete: I suspect that this issue depends on the <auth-method> that you are using.

(The Authorization header is used by Tomcat Ant tasks, and nobody reported that those were broken.)

> This has worked in older versions of Tomcat.

Which versions?
Comment 2 Mark Thomas 2011-06-30 15:32:02 UTC
This looks like a regression due to the addition of the optional pre-authentication support. I should have a fix for this shortly.
Comment 3 Mark Thomas 2011-06-30 15:41:44 UTC
This has been fixed in 7.0.x and will be included in 7.0.17 onwards.
Comment 4 Sudarsha Wijenayake 2011-07-14 15:44:50 UTC
(In reply to comment #3)
> This has been fixed in 7.0.x and will be included in 7.0.17 onwards.

Is this fix now available in the following SVN path?

http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_17/

I would like to give it a try before 7.0.17 goes out. Thanks!
Comment 5 Mark Thomas 2011-07-14 15:47:46 UTC
The 7.0.17 was stopped, as was 7.0.18. 7.0.19 in currently in progress. You can build it from the tag or from http://people.apache.org/~markt/dev/tomcat-7/

WARNING: This is NOT an official ASF release. It is a release candidate for testing purposes only.