diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
index 2098c2e8ccc8..9697440d351e 100644
--- a/java/org/apache/catalina/realm/RealmBase.java
+++ b/java/org/apache/catalina/realm/RealmBase.java
@@ -688,9 +688,9 @@ public void backgroundProcess() {
// Check each defined security constraint
String uri = request.getRequestPathMB().toString();
- // Bug47080 - in rare cases this may be null
+ // Bug47080 - in rare cases this may be null or ""
// Mapper treats as '/' do the same to prevent NPE
- if (uri == null) {
+ if (uri == null || uri.length() == 0) {
uri = "/";
}
@@ -722,7 +722,8 @@ public void backgroundProcess() {
}
for(int k=0; k < patterns.length; k++) {
- if(uri.equals(patterns[k])) {
+ // Exact match including special case for the context root.
+ if(uri.equals(patterns[k]) || patterns[k].length() == 0 && uri.equals("/")) {
found = true;
if(collection[j].findMethod(method)) {
if(results == null) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9ba89842348e..0501967aa9a0 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -82,6 +82,10 @@
rather than the user facing Principal object as Tomcat requires the
internal object to correctly process later authorization checks. (markt)
+
+ 62067: Correctly apply security constraints mapped to the
+ context root using a URL pattern of ""
. (markt)
+