51453 – Requests to open URL that include an Authorization header do not reach servlet

Bug 51453 - Requests to open URL that include an Authorization header do not reach servlet

Summary: Requests to open URL that include an Authorization header do not reach servlet

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 7
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	7.0.16
Hardware:	PC Linux

Importance:	P2 regression (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-06-30 14:10 UTC by Craig Chaney
Modified:	2011-07-14 15:47 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Craig Chaney 2011-06-30 14:10:50 UTC

In Tomcat 7, I've noticed that a request to a URL that does not require authentication will get forwarded to the login page if the request contains an "Authorization" header.

Our application expects these requests to be processed by the servlet.  The servlet parses the Authorization header and takes appropriate action (possibly redirecting to the login page or allowing the request if the headers contain an acceptible token).  This has worked in older versions of Tomcat.

The relevant part of our web.xml looks like:

<security-constraint>

  <web-resource-collection>
    <web-resource-name>open</web-resource-name>
    <url-pattern>/*</url-pattern>
    <!-- several other url patterns -->
  </web-resource-collection>

  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>

  <!-- Notice no auth-constraint element -->

</security-constraint>

I observed the behavior of org.apache.catalina.authenticator.AuthenticatorBase.invoke(), here's what I saw:

The constraints variable contains a single constraint that matches the security constraint from our web.xml above.

On line 520, authRequired is set to true because of the presence of the Authorization header.

The authenticate() call on line 535 fails and redirects to the login page.

Comment 1 Konstantin Kolinko 2011-06-30 15:14:57 UTC

Please provide a simple sample web application that demonstrates this issue.

Your snippet of web.xml is incomplete: I suspect that this issue depends on the <auth-method> that you are using.

(The Authorization header is used by Tomcat Ant tasks, and nobody reported that those were broken.)

> This has worked in older versions of Tomcat.

Which versions?

Comment 2 Mark Thomas 2011-06-30 15:32:02 UTC

This looks like a regression due to the addition of the optional pre-authentication support. I should have a fix for this shortly.

Comment 3 Mark Thomas 2011-06-30 15:41:44 UTC

This has been fixed in 7.0.x and will be included in 7.0.17 onwards.

Comment 4 Sudarsha Wijenayake 2011-07-14 15:44:50 UTC

(In reply to comment #3)
> This has been fixed in 7.0.x and will be included in 7.0.17 onwards.

Is this fix now available in the following SVN path?

http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_17/

I would like to give it a try before 7.0.17 goes out. Thanks!

Comment 5 Mark Thomas 2011-07-14 15:47:46 UTC

The 7.0.17 was stopped, as was 7.0.18. 7.0.19 in currently in progress. You can build it from the tag or from http://people.apache.org/~markt/dev/tomcat-7/

WARNING: This is NOT an official ASF release. It is a release candidate for testing purposes only.