diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java index 2098c2e8ccc8..9697440d351e 100644 --- a/java/org/apache/catalina/realm/RealmBase.java +++ b/java/org/apache/catalina/realm/RealmBase.java @@ -688,9 +688,9 @@ public void backgroundProcess() { // Check each defined security constraint String uri = request.getRequestPathMB().toString(); - // Bug47080 - in rare cases this may be null + // Bug47080 - in rare cases this may be null or "" // Mapper treats as '/' do the same to prevent NPE - if (uri == null) { + if (uri == null || uri.length() == 0) { uri = "/"; } @@ -722,7 +722,8 @@ public void backgroundProcess() { } for(int k=0; k < patterns.length; k++) { - if(uri.equals(patterns[k])) { + // Exact match including special case for the context root. + if(uri.equals(patterns[k]) || patterns[k].length() == 0 && uri.equals("/")) { found = true; if(collection[j].findMethod(method)) { if(results == null) { diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 9ba89842348e..0501967aa9a0 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -82,6 +82,10 @@ rather than the user facing Principal object as Tomcat requires the internal object to correctly process later authorization checks. (markt) + + 62067: Correctly apply security constraints mapped to the + context root using a URL pattern of "". (markt) +