From aea99b14aaff9a41337fab4427170814a53d85dd Mon Sep 17 00:00:00 2001 From: Greg Wilkins Date: Tue, 2 Mar 2010 08:37:02 +0000 Subject: [PATCH] 304307 JETTY-1133 Handle ;jsessionid in FROM Auth git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@1326 7e9141cc-0065-0410-87d8-b60c137991c4 --- VERSION.txt | 1 + .../rewrite/handler/RedirectPatternRule.java | 2 +- .../rewrite/handler/RedirectRegexRule.java | 2 +- .../authentication/FormAuthenticator.java | 24 +++++++-- .../jetty/security/ConstraintTest.java | 53 ++++++++++++++++++- .../server/handler/MovedContextHandler.java | 2 +- .../jetty/server/handler/ResourceHandler.java | 2 +- .../java/org/eclipse/jetty/servlets/CGI.java | 2 +- .../src/main/java/com/acme/Dump.java | 4 +- 9 files changed, 79 insertions(+), 13 deletions(-) diff --git a/VERSION.txt b/VERSION.txt index 7f2ec374a0f..d943fe5a1c1 100644 --- a/VERSION.txt +++ b/VERSION.txt @@ -19,6 +19,7 @@ jetty-7.0.2-SNAPSHOT + 302246 redirect loop using form authenticator + 302556 CrossOriginFilter does not work correctly when Access-Control-Request-Headers header is not present + 302669 WebInfConfiguration.unpack() unpacks WEB-INF/* from a ResourceCollection, breaking JSP reloading with ResourceCollections + + 304307 JETTY-1133 Handle ;jsessionid in FROM Auth + JETTY-776 Make new session-tests module to concentrate all reusable session clustering test code + JETTY-910 Allow request listeners to access session + JETTY-983 Range handling cleanup diff --git a/jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/RedirectPatternRule.java b/jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/RedirectPatternRule.java index ed88d694bb4..d5996995adc 100644 --- a/jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/RedirectPatternRule.java +++ b/jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/RedirectPatternRule.java @@ -49,7 +49,7 @@ public class RedirectPatternRule extends PatternRule */ public String apply(String target, HttpServletRequest request, HttpServletResponse response) throws IOException { - response.sendRedirect(_location); + response.sendRedirect(response.encodeRedirectURL(_location)); return target; } diff --git a/jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/RedirectRegexRule.java b/jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/RedirectRegexRule.java index 077e9992758..060b3aa0757 100644 --- a/jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/RedirectRegexRule.java +++ b/jetty-rewrite/src/main/java/org/eclipse/jetty/rewrite/handler/RedirectRegexRule.java @@ -57,7 +57,7 @@ public class RedirectRegexRule extends RegexRule target=target.replaceAll("\\$"+g,group); } - response.sendRedirect(target); + response.sendRedirect(response.encodeRedirectURL(target)); return target; } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java index 0b253e56b8c..7a624ddc7fe 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/FormAuthenticator.java @@ -154,7 +154,7 @@ public class FormAuthenticator extends LoginAuthenticator if (uri==null) uri=URIUtil.SLASH; - mandatory|=uri.endsWith(__J_SECURITY_CHECK); + mandatory|=isJSecurityCheck(uri); if (!mandatory) return _deferred; @@ -166,7 +166,7 @@ public class FormAuthenticator extends LoginAuthenticator try { // Handle a request for authentication. - if (uri.endsWith(__J_SECURITY_CHECK)) + if (isJSecurityCheck(uri)) { final String username = request.getParameter(__J_USERNAME); final String password = request.getParameter(__J_PASSWORD); @@ -213,7 +213,7 @@ public class FormAuthenticator extends LoginAuthenticator } else { - response.sendRedirect(URIUtil.addPaths(request.getContextPath(),_formErrorPage)); + response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formErrorPage))); } return Authentication.SEND_FAILURE; @@ -260,7 +260,7 @@ public class FormAuthenticator extends LoginAuthenticator } else { - response.sendRedirect(URIUtil.addPaths(request.getContextPath(),_formLoginPage)); + response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getContextPath(),_formLoginPage))); } return Authentication.SEND_CONTINUE; @@ -275,7 +275,21 @@ public class FormAuthenticator extends LoginAuthenticator throw new ServerAuthException(e); } } - + + /* ------------------------------------------------------------ */ + public boolean isJSecurityCheck(String uri) + { + int jsc = uri.indexOf(__J_SECURITY_CHECK); + + if (jsc<0) + return false; + int e=jsc+__J_SECURITY_CHECK.length(); + if (e==uri.length()) + return true; + char c = uri.charAt(e); + return c==';'||c=='#'||c=='/'||c=='?'; + } + /* ------------------------------------------------------------ */ public boolean isLoginOrErrorPage(String pathInContext) { diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java index 5260e318f15..5adc8882ce7 100644 --- a/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java +++ b/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java @@ -301,7 +301,6 @@ public class ConstraintTest extends TestCase response = _connector.getResponses("GET /ctx/testLoginPage HTTP/1.0\r\n"+ "Cookie: JSESSIONID=" + session + "\r\n" + "\r\n"); - System.err.println(response); assertTrue(response.indexOf(" 200 OK") > 0); assertTrue(response.indexOf("URI=/ctx/testLoginPage") > 0); @@ -335,6 +334,58 @@ public class ConstraintTest extends TestCase assertTrue(response.indexOf("!role") > 0); } + public void testFormNoCookies() + throws Exception + { + _security.setAuthenticator(new FormAuthenticator("/testLoginPage","/testErrorPage",false)); + _security.setStrict(false); + _server.start(); + + String response; + + response = _connector.getResponses("GET /ctx/noauth/info HTTP/1.0\r\n\r\n"); + assertTrue(response.startsWith("HTTP/1.1 200 OK")); + + response = _connector.getResponses("GET /ctx/forbid/info HTTP/1.0\r\n\r\n"); + assertTrue(response.startsWith("HTTP/1.1 403 Forbidden")); + + response = _connector.getResponses("GET /ctx/auth/info HTTP/1.0\r\n\r\n"); + assertTrue(response.indexOf(" 302 Found") > 0); + assertTrue(response.indexOf("/ctx/testLoginPage") > 0); + int jsession=response.indexOf(";jsessionid="); + String session = response.substring(jsession + 12, response.indexOf("\r\n",jsession)); + + response = _connector.getResponses("GET /ctx/testLoginPage;jsessionid="+session+" HTTP/1.0\r\n"+ + "\r\n"); + assertTrue(response.indexOf(" 200 OK") > 0); + assertTrue(response.indexOf("URI=/ctx/testLoginPage") > 0); + + response = _connector.getResponses("POST /ctx/j_security_check;jsessionid="+session+" HTTP/1.0\r\n" + + "Content-Type: application/x-www-form-urlencoded\r\n" + + "Content-Length: 31\r\n" + + "\r\n" + + "j_username=user&j_password=wrong\r\n"); + assertTrue(response.indexOf("Location") > 0); + + response = _connector.getResponses("POST /ctx/j_security_check;jsessionid="+session+" HTTP/1.0\r\n" + + "Content-Type: application/x-www-form-urlencoded\r\n" + + "Content-Length: 35\r\n" + + "\r\n" + + "j_username=user&j_password=password\r\n"); + assertTrue(response.startsWith("HTTP/1.1 302 ")); + assertTrue(response.indexOf("Location") > 0); + assertTrue(response.indexOf("/ctx/auth/info") > 0); + + response = _connector.getResponses("GET /ctx/auth/info;jsessionid="+session+" HTTP/1.0\r\n" + + "\r\n"); + assertTrue(response.startsWith("HTTP/1.1 200 OK")); + + response = _connector.getResponses("GET /ctx/admin/info;jsessionid="+session+" HTTP/1.0\r\n" + + "\r\n"); + assertTrue(response.startsWith("HTTP/1.1 403")); + assertTrue(response.indexOf("!role") > 0); + } + public void testStrictBasic() throws Exception { diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/MovedContextHandler.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/MovedContextHandler.java index ef401d5a15c..ba179803811 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/MovedContextHandler.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/MovedContextHandler.java @@ -107,7 +107,7 @@ public class MovedContextHandler extends ContextHandler if (!_discardQuery && request.getQueryString()!=null) url+="?"+request.getQueryString(); - response.sendRedirect(url); + response.sendRedirect(response.encodeRedirectURL(url)); String path=_newContextURL; if (!_discardPathInfo && request.getPathInfo()!=null) diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ResourceHandler.java b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ResourceHandler.java index 92744fa1183..2bbc84f93d3 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ResourceHandler.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ResourceHandler.java @@ -302,7 +302,7 @@ public class ResourceHandler extends AbstractHandler { if (!request.getPathInfo().endsWith(URIUtil.SLASH)) { - response.sendRedirect(URIUtil.addPaths(request.getRequestURI(),URIUtil.SLASH)); + response.sendRedirect(response.encodeRedirectURL(URIUtil.addPaths(request.getRequestURI(),URIUtil.SLASH))); return; } diff --git a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java index 2ef4eb093ef..dc2a673fe8a 100644 --- a/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java +++ b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/CGI.java @@ -309,7 +309,7 @@ public class CGI extends HttpServlet String value = line.substring(k+1).trim(); if ("Location".equals(key)) { - res.sendRedirect(value); + res.sendRedirect(res.encodeRedirectURL(value)); } else if ("Status".equals(key)) { diff --git a/test-jetty-webapp/src/main/java/com/acme/Dump.java b/test-jetty-webapp/src/main/java/com/acme/Dump.java index cd00632fc97..9af5d81bdc8 100644 --- a/test-jetty-webapp/src/main/java/com/acme/Dump.java +++ b/test-jetty-webapp/src/main/java/com/acme/Dump.java @@ -78,7 +78,7 @@ public class Dump extends HttpServlet { if(request.getPathInfo()!=null && request.getPathInfo().toLowerCase().indexOf("script")!=-1) { - response.sendRedirect(getServletContext().getContextPath() + "/dump/info"); + response.sendRedirect(response.encodeRedirectURL(getServletContext().getContextPath() + "/dump/info")); return; } @@ -325,7 +325,7 @@ public class Dump extends HttpServlet if (redirect != null && redirect.length() > 0) { response.getOutputStream().println("THIS SHOULD NOT BE SEEN!"); - response.sendRedirect(redirect); + response.sendRedirect(response.encodeRedirectURL(redirect)); try { response.getOutputStream().println("THIS SHOULD NOT BE SEEN!");