now allows unrestricted access to login page and error page

diff --git a/src/share/org/securityfilter/filter/SecurityFilter.java b/src/share/org/securityfilter/filter/SecurityFilter.java
index a029ddc..cf5023c 100644 (file)
--- a/src/share/org/securityfilter/filter/SecurityFilter.java
+++ b/src/share/org/securityfilter/filter/SecurityFilter.java
@@ -1,7 +1,7 @@
 /*
- * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityFilter.java,v 1.12 2003/01/06 00:17:25 maxcooper Exp $
- * $Revision: 1.12 $
- * $Date: 2003/01/06 00:17:25 $
+ * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityFilter.java,v 1.13 2003/01/06 01:14:23 maxcooper Exp $
+ * $Revision: 1.13 $
+ * $Date: 2003/01/06 01:14:23 $
  *
  * ====================================================================
  * The SecurityFilter Software License, Version 1.1
@@ -75,7 +75,7 @@ import java.util.*;
  *
  * @author Max Cooper (max@maxcooper.com)
  * @author Torgeir Veimo (torgeir@pobox.com)
- * @version $Revision: 1.12 $ $Date: 2003/01/06 00:17:25 $
+ * @version $Revision: 1.13 $ $Date: 2003/01/06 01:14:23 $
  */
 public class SecurityFilter implements Filter {
    public static final String SAVED_REQUEST_URL = SecurityFilter.class.getName() + ".SAVED_REQUEST_URL";
@@ -90,7 +90,9 @@ public class SecurityFilter implements Filter {
    protected FilterConfig config;
    protected SecurityRealmInterface realm;
    protected String loginPage;
+   protected URLPattern loginPagePattern;
    protected String errorPage;
+   protected URLPattern errorPagePattern;
    protected String defaultPage;
    protected URLPatternFactory patternFactory;
    protected List patternList;
@@ -143,8 +145,16 @@ public class SecurityFilter implements Filter {
                return;
             }
 
-            // check if request matches security constraint
-            match = matchPattern(requestURL, wrappedRequest.getMethod(), patternMatcher);
+            // only check the request for a security constraint match if it doesn't
+            // match the login page or error page patterns -- this allows requests for the
+            // login page and error pages to be viewed even when their URLs would otherwise
+            // be subject to a security constraint
+            if (!patternMatcher.match(requestURL, loginPagePattern)
+               && !patternMatcher.match(requestURL, loginPagePattern)
+            ) {
+               // check if request matches security constraint
+               match = matchPattern(requestURL, wrappedRequest.getMethod(), patternMatcher);
+            }
          } catch (Exception e) {
             throw new ServletException("Error matching patterns", e);
          }
@@ -211,10 +221,14 @@ public class SecurityFilter implements Filter {
 
          // get config values
          realm = securityConfig.getRealm();
-         errorPage = securityConfig.getErrorPage();
-         loginPage = securityConfig.getLoginPage();
          defaultPage = securityConfig.getDefaultPage();
 
+         // get login and error page patterns
+         loginPage = securityConfig.getLoginPage();
+         loginPagePattern = patternFactory.createURLPattern(loginPage, null, null, 0);
+         errorPage = securityConfig.getErrorPage();
+         errorPagePattern = patternFactory.createURLPattern(errorPage, null, null, 0);
+
          // create pattern list
          patternList = new ArrayList();
          int order = 1;