From 723ea6a5bc5e7bc49e5ef84273c3b3c164a6a4fd Mon Sep 17 00:00:00 2001 From: Mark Thomas Date: Tue, 6 Feb 2018 11:38:09 +0000 Subject: [PATCH] Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62067 Correctly apply security constraints mapped to the context root using a URL pattern of "" git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1823306 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/catalina/realm/RealmBase.java | 7 ++++--- webapps/docs/changelog.xml | 4 ++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java index 644cd2fdbaf0..321697f40b80 100644 --- a/java/org/apache/catalina/realm/RealmBase.java +++ b/java/org/apache/catalina/realm/RealmBase.java @@ -546,9 +546,9 @@ public void backgroundProcess() { // Check each defined security constraint String uri = request.getRequestPathMB().toString(); - // Bug47080 - in rare cases this may be null + // Bug47080 - in rare cases this may be null or "" // Mapper treats as '/' do the same to prevent NPE - if (uri == null) { + if (uri == null || uri.length() == 0) { uri = "/"; } @@ -580,7 +580,8 @@ public void backgroundProcess() { } for(int k=0; k < patterns.length; k++) { - if(uri.equals(patterns[k])) { + // Exact match including special case for the context root. + if(uri.equals(patterns[k]) || patterns[k].length() == 0 && uri.equals("/")) { found = true; if(collection[j].findMethod(method)) { if(results == null) { diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 37e155cb9267..5857203b9d72 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -91,6 +91,10 @@ When using Tomcat embedded, only perform Authenticator configuration once during web application start. (markt) + + 62067: Correctly apply security constraints mapped to the + context root using a URL pattern of "". (markt) +