From a44a6798efb83b4c4f18d7581aafadea6cd85001 Mon Sep 17 00:00:00 2001 From: markt Date: Wed, 20 Oct 2010 21:55:30 +0000 Subject: [PATCH] Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=3839 Provide a mechanism to gracefully handle the case where users book-mark the form login page or otherwise abuse the FORM authentication process. Based on a suggestion by Mark Morris. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1025775 13f79535-47bb-0310-9956-ffa450edef68 --- .../catalina/authenticator/FormAuthenticator.java | 51 ++++++++++++++++++++-- webapps/docs/changelog.xml | 5 +++ webapps/docs/config/valve.xml | 13 ++++++ 3 files changed, 65 insertions(+), 4 deletions(-) diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index f8ed35ce2..5b57e2227 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -75,6 +75,12 @@ public class FormAuthenticator */ protected String characterEncoding = null; + /** + * Landing page to use if a user tries to access the login page directly or + * if the session times out during login. If not set, error responses will + * be sent instead. + */ + protected String landingPage = null; // ------------------------------------------------------------- Properties @@ -106,6 +112,22 @@ public class FormAuthenticator } + /** + * Return the landing page to use when FORM auth is mis-used. + */ + public String getLandingPage() { + return landingPage; + } + + + /** + * Set the landing page to use when the FORM auth is mis-used. + */ + public void setLandingPage(String landingPage) { + this.landingPage = landingPage; + } + + // --------------------------------------------------------- Public Methods @@ -273,8 +295,19 @@ public class FormAuthenticator if (containerLog.isDebugEnabled()) containerLog.debug ("User took so long to log on the session expired"); - response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, - sm.getString("authenticator.sessionExpired")); + if (landingPage == null) { + response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, + sm.getString("authenticator.sessionExpired")); + } else { + // Make the authenticator think the user originally requested + // the landing page + String uri = request.getContextPath() + landingPage; + SavedRequest saved = new SavedRequest(); + saved.setRequestURI(uri); + request.getSessionInternal(true).setNote( + Constants.FORM_REQUEST_NOTE, saved); + response.sendRedirect(response.encodeRedirectURL(uri)); + } return (false); } @@ -291,8 +324,18 @@ public class FormAuthenticator if (log.isDebugEnabled()) log.debug("Redirecting to original '" + requestURI + "'"); if (requestURI == null) - response.sendError(HttpServletResponse.SC_BAD_REQUEST, - sm.getString("authenticator.formlogin")); + if (landingPage == null) { + response.sendError(HttpServletResponse.SC_BAD_REQUEST, + sm.getString("authenticator.formlogin")); + } else { + // Make the authenticator think the user originally requested + // the landing page + String uri = request.getContextPath() + landingPage; + SavedRequest saved = new SavedRequest(); + saved.setRequestURI(uri); + session.setNote(Constants.FORM_REQUEST_NOTE, saved); + response.sendRedirect(response.encodeRedirectURL(uri)); + } else response.sendRedirect(response.encodeRedirectURL(requestURI)); return (false); diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 175c0db6c..68d862650 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -40,6 +40,11 @@ + 3839: Provide a mechanism to gracefully handle the case where + users book-mark the form login page or otherwise misuse the FORM + authentication process. Based on a suggestion by Mark Morris. (markt) + + 49991: Ensure servlet request listeners are fired for the login and error pages during FORM authentication. (markt) diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml index d4d3a9c74..a4dc5a7c3 100644 --- a/webapps/docs/config/valve.xml +++ b/webapps/docs/config/valve.xml @@ -552,6 +552,19 @@ workaround for browser caching issues. If not set, the default value of true will be used.

+ + +

Controls the behavior of the FORM authentication process if the + process is misused, for example by directly requesting the login page + or delaying logging in for so long that the session expires. If this + attribute is set, rather than returning an error response code, Tomcat + will redirect the user to the specified landing page if the login form + is submitted with valid credentials. For the login to be processed, the + landing page must be a protected resource (i.e. one that requires + authentication). If the landing page does not require authentication + then the user will not be logged in and will be prompted for their + credentials again when they access a protected page.

+

Controls the caching of pages that are protected by security -- 2.11.0