Merged revision 1377887 from tomcat/trunk:

Remove unneeded handling of FORM authentication in RealmBase. The login and error pages are handled via forward, so processing completes before this code is ever reached. The action page is handled elsewhere. git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1377892 13f79535-47bb-0310-9956-ffa450edef68
apache · Aug 27, 2012 · f78c0cd · f78c0cd
1 parent 1956dac
commit f78c0cd
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 26 deletions.
diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
@@ -45,7 +45,6 @@
 import org.apache.catalina.Wrapper;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
-import org.apache.catalina.deploy.LoginConfig;
 import org.apache.catalina.deploy.SecurityCollection;
 import org.apache.catalina.deploy.SecurityConstraint;
 import org.apache.catalina.mbeans.MBeanUtils;
@@ -822,31 +821,6 @@ public boolean hasResourcePermission(Request request,
         if (constraints == null || constraints.length == 0)
             return (true);
 
-        // Specifically allow access to the form login and form error pages
-        // and the "j_security_check" action
-        LoginConfig config = context.getLoginConfig();
-        if ((config != null) &&
-            (Constants.FORM_METHOD.equals(config.getAuthMethod()))) {
-            String requestURI = request.getRequestPathMB().toString();
-            String loginPage = config.getLoginPage();
-            if (loginPage.equals(requestURI)) {
-                if (log.isDebugEnabled())
-                    log.debug(" Allow access to login page " + loginPage);
-                return (true);
-            }
-            String errorPage = config.getErrorPage();
-            if (errorPage.equals(requestURI)) {
-                if (log.isDebugEnabled())
-                    log.debug(" Allow access to error page " + errorPage);
-                return (true);
-            }
-            if (requestURI.endsWith(Constants.FORM_ACTION)) {
-                if (log.isDebugEnabled())
-                    log.debug(" Allow access to username/password submission");
-                return (true);
-            }
-        }
-
         // Which user principal have we already authenticated?
         Principal principal = request.getPrincipal();
         boolean status = false;

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -182,6 +182,9 @@
         Improve performance of DIGEST authenticator for concurrent requests.
         (markt)
       </fix>
+      <fix>
+        Remove unneeded handling of FORM authentication in RealmBase. (kkolinko)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">