Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51940

Don't limit saving of request bodies during FORM authentication to POST requests since any HTTP method may include a body.
Based on a patch by Nicholas Sushkin

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1181028 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index a6b874d..751028e 100644 (file)
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -368,6 +368,16 @@ public class FormAuthenticator
             HttpServletResponse response, LoginConfig config)
             throws IOException {
         
+        if (log.isDebugEnabled()) {
+            log.debug(sm.getString("formAuthenticator.forwardLogin",
+                    request.getRequestURI(), request.getMethod(),
+                    config.getLoginPage(),
+                    context.getServletContext().getContextPath()));
+        }
+
+        // Always use GET for the login page, regardless of the method used
+        request.getCoyoteRequest().method().setString("GET");
+
         String loginPage = config.getLoginPage();
         if (loginPage == null || loginPage.length() == 0) {
             String msg = sm.getString("formAuthenticator.noLoginPage",
@@ -535,27 +545,27 @@ public class FormAuthenticator
             // Ignore request body
         }
         
-        if ("POST".equalsIgnoreCase(saved.getMethod())) {
-            ByteChunk body = saved.getBody();
-            
-            if (body != null) {
-                request.getCoyoteRequest().action
-                    (ActionCode.REQ_SET_BODY_REPLAY, body);
-    
-                // Set content type
-                MessageBytes contentType = MessageBytes.newInstance();
-                
-                //If no content type specified, use default for POST
-                String savedContentType = saved.getContentType();
-                if (savedContentType == null) {
-                    savedContentType = "application/x-www-form-urlencoded";
-                }
+        ByteChunk body = saved.getBody();
+        String method = saved.getMethod();
+        
+        if (body != null) {
+            request.getCoyoteRequest().action
+                (ActionCode.REQ_SET_BODY_REPLAY, body);
 
-                contentType.setString(savedContentType);
-                request.getCoyoteRequest().setContentType(contentType);
+            // Set content type
+            MessageBytes contentType = MessageBytes.newInstance();
+            
+            // If no content type specified, use default for POST
+            String savedContentType = saved.getContentType();
+            if (savedContentType == null && "POST".equalsIgnoreCase(method)) {
+                savedContentType = "application/x-www-form-urlencoded";
             }
+
+            contentType.setString(savedContentType);
+            request.getCoyoteRequest().setContentType(contentType);
         }
-        request.getCoyoteRequest().method().setString(saved.getMethod());
+
+        request.getCoyoteRequest().method().setString(method);
 
         request.getCoyoteRequest().queryString().setString
             (saved.getQueryString());
@@ -599,20 +609,22 @@ public class FormAuthenticator
             saved.addLocale(locale);
         }
 
-        if ("POST".equalsIgnoreCase(request.getMethod())) {
-            // May need to acknowledge a 100-continue expectation
-            request.getResponse().sendAcknowledgement();
+        // May need to acknowledge a 100-continue expectation
+        request.getResponse().sendAcknowledgement();
 
-            ByteChunk body = new ByteChunk();
-            body.setLimit(request.getConnector().getMaxSavePostSize());
+        ByteChunk body = new ByteChunk();
+        body.setLimit(request.getConnector().getMaxSavePostSize());
 
-            byte[] buffer = new byte[4096];
-            int bytesRead;
-            InputStream is = request.getInputStream();
-        
-            while ( (bytesRead = is.read(buffer) ) >= 0) {
-                body.append(buffer, 0, bytesRead);
-            }
+        byte[] buffer = new byte[4096];
+        int bytesRead;
+        InputStream is = request.getInputStream();
+    
+        while ( (bytesRead = is.read(buffer) ) >= 0) {
+            body.append(buffer, 0, bytesRead);
+        }
+
+        // Only save the request body if there is somethign to save
+        if (body.getLength() > 0) {
             saved.setContentType(request.getContentType());
             saved.setBody(body);
         }

diff --git a/java/org/apache/catalina/authenticator/LocalStrings.properties b/java/org/apache/catalina/authenticator/LocalStrings.properties
index 98d68b6..e0f5ae8 100644 (file)
--- a/java/org/apache/catalina/authenticator/LocalStrings.properties
+++ b/java/org/apache/catalina/authenticator/LocalStrings.properties
@@ -31,6 +31,7 @@ authenticator.userDataConstraint=This request violates a User Data constraint fo
 digestAuthenticator.cacheRemove=A valid entry has been removed from client nonce cache to make room for new entries. A replay attack is now possible. To prevent the possibility of replay attacks, reduce nonceValidity or increase cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
  
 formAuthenticator.forwardErrorFail=Unexpected error forwarding to error page
+formAuthenticator.forwardLogin=Forwarding request for [{0}] made with method [{1}] to login page [{2}] of context [{3}] using request method GET  
 formAuthenticator.forwardLoginFail=Unexpected error forwarding to login page
 formAuthenticator.noErrorPage=No error page was defined for FORM authentication in context [{0}]
 formAuthenticator.noLoginPage=No login page was defined for FORM authentication in context [{0}]