Author: bmaxwell
Date: 2013-04-16 16:29:42 -0400 (Tue, 16 Apr 2013)
New Revision: 2189
Modified:
tags/JBOSSWEB_7_0_16_FINAL_BZ-952835/java/org/apache/catalina/realm/RealmBase.java
Log:
[BZ-952835] CVE-2012-3546 Tomcat/JBoss Web - Bypass of security constraints
Modified:
tags/JBOSSWEB_7_0_16_FINAL_BZ-952835/java/org/apache/catalina/realm/RealmBase.java
===================================================================
---
tags/JBOSSWEB_7_0_16_FINAL_BZ-952835/java/org/apache/catalina/realm/RealmBase.java 2013-04-16
20:26:42 UTC (rev 2188)
+++
tags/JBOSSWEB_7_0_16_FINAL_BZ-952835/java/org/apache/catalina/realm/RealmBase.java 2013-04-16
20:29:42 UTC (rev 2189)
@@ -49,7 +49,6 @@
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.core.ContainerBase;
-import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityCollection;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.util.HexUtils;
@@ -741,31 +740,6 @@
if (constraints == null || constraints.length == 0)
return (true);
- // Specifically allow access to the form login and form error pages
- // and the "j_security_check" action
- LoginConfig config = context.getLoginConfig();
- if ((config != null) &&
- (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
- String requestURI = request.getRequestPathMB().toString();
- String loginPage = config.getLoginPage();
- if (loginPage.equals(requestURI)) {
- if (log.isDebugEnabled())
- log.debug(" Allow access to login page " + loginPage);
- return (true);
- }
- String errorPage = config.getErrorPage();
- if (errorPage.equals(requestURI)) {
- if (log.isDebugEnabled())
- log.debug(" Allow access to error page " + errorPage);
- return (true);
- }
- if (requestURI.endsWith(Constants.FORM_ACTION)) {
- if (log.isDebugEnabled())
- log.debug(" Allow access to username/password
submission");
- return (true);
- }
- }
-
// Which user principal have we already authenticated?
Principal principal = request.getPrincipal();
boolean status = false;
Show replies by date