« Return to Thread: Security Constraints problem

Re: Re: Security Constraints problem

by djencks :: Rate this Message:

On Jun 1, 2009, at 8:47 AM, Greg Wilkins wrote:

> Jeff McAffer wrote:
>> FYI, the Eclipse webmaster has enabled the security feature on
>> bugzilla
>> that limits the visibility of security related discussions in an
>> effort
>> to reduce exploits. Bugs can be marked as security related (on the
>> bug
>> itself). From that point on only committers (I believe) can read the
>> bug. Use as your discretion.
>
> Cool! Good feature!
>
> but in this case it is a problem of a new feature in development,
> and is
> not so much an exploit as a failure to login. So it good for this to
> be open.
>
> Jan - any luck reproducing with the test harness?
>
> I'm pretty sure this is something to do with the fact that we now
> scope
> for servlets before calling the security handler, so the path is
> now split into servletPath and pathInfo depending on the mappings.
>
> I think the security stuff was only looking at pathInfo because it
> used to
> only be called before servlet scoping.

Right, that's the problem. I opened bug 278887 and patched
FormAuthenticator like this:

- String uri = request.getPathInfo();
+ String uri = request.getRequestURL().toString();

Is there a string already computed that would work as well as
getRequestURL() and be quicker than constructing a StringBuffer and
then a String?

thanks
david jencks

>
>
> cheers
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this list, please visit:
>
> http://xircles.codehaus.org/manage_email
>
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

« Return to Thread: Security Constraints problem