1
Description: Remove unneeded handling of FORM authentication in RealmBase.
2
The login and error pages are handled via forward, so processing completes
3
before this code is ever reached. The action page is handled elsewhere.
4
It is a fix for CVE-2012-3546.
5
Origin: upstream, http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java?r1=1377892&r2=1377891&pathrev=1377892
7
--- a/java/org/apache/catalina/realm/RealmBase.java
8
+++ b/java/org/apache/catalina/realm/RealmBase.java
10
import org.apache.catalina.Wrapper;
11
import org.apache.catalina.connector.Request;
12
import org.apache.catalina.connector.Response;
13
-import org.apache.catalina.deploy.LoginConfig;
14
import org.apache.catalina.deploy.SecurityCollection;
15
import org.apache.catalina.deploy.SecurityConstraint;
16
import org.apache.catalina.mbeans.MBeanUtils;
18
if (constraints == null || constraints.length == 0)
21
- // Specifically allow access to the form login and form error pages
22
- // and the "j_security_check" action
23
- LoginConfig config = context.getLoginConfig();
24
- if ((config != null) &&
25
- (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
26
- String requestURI = request.getRequestPathMB().toString();
27
- String loginPage = config.getLoginPage();
28
- if (loginPage.equals(requestURI)) {
29
- if (log.isDebugEnabled())
30
- log.debug(" Allow access to login page " + loginPage);
33
- String errorPage = config.getErrorPage();
34
- if (errorPage.equals(requestURI)) {
35
- if (log.isDebugEnabled())
36
- log.debug(" Allow access to error page " + errorPage);
39
- if (requestURI.endsWith(Constants.FORM_ACTION)) {
40
- if (log.isDebugEnabled())
41
- log.debug(" Allow access to username/password submission");
46
// Which user principal have we already authenticated?
47
Principal principal = request.getPrincipal();
48
boolean status = false;