From 9e700b93e3bf5c605267d20568a964169f9e0b79 Mon Sep 17 00:00:00 2001 From: Mark Thomas Date: Tue, 6 Feb 2018 11:40:42 +0000 Subject: [PATCH] Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62067 Correctly apply security constraints mapped to the context root using a URL pattern of "" git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk@1823308 13f79535-47bb-0310-9956-ffa450edef68 --- java/org/apache/catalina/realm/RealmBase.java | 7 ++++--- webapps/docs/changelog.xml | 4 ++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java index deab50201..f68686269 100644 --- a/java/org/apache/catalina/realm/RealmBase.java +++ b/java/org/apache/catalina/realm/RealmBase.java @@ -757,9 +757,9 @@ public void backgroundProcess() { // Check each defined security constraint String uri = request.getRequestPathMB().toString(); - // Bug47080 - in rare cases this may be null + // Bug47080 - in rare cases this may be null or "" // Mapper treats as '/' do the same to prevent NPE - if (uri == null) { + if (uri == null || uri.length() == 0) { uri = "/"; } @@ -791,7 +791,8 @@ public void backgroundProcess() { } for(int k=0; k < patterns.length; k++) { - if(uri.equals(patterns[k])) { + // Exact match including special case for the context root. + if(uri.equals(patterns[k]) || patterns[k].length() == 0 && uri.equals("/")) { found = true; if(collection[j].findMethod(method)) { if(results == null) { diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index da2e3710a..372627f46 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -69,6 +69,10 @@ rather than the user facing Principal object as Tomcat requires the internal object to correctly process later authorization checks. (markt) + + 62067: Correctly apply security constraints mapped to the + context root using a URL pattern of "". (markt) +