[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-dev] Re: Security Constraints problem
|
Request.getRequestURI() ?
Jan
David Jencks wrote:
On Jun 1, 2009, at 8:47 AM, Greg Wilkins wrote:
Jeff McAffer wrote:
FYI, the Eclipse webmaster has enabled the security feature on bugzilla
that limits the visibility of security related discussions in an effort
to reduce exploits. Bugs can be marked as security related (on the bug
itself). From that point on only committers (I believe) can read the
bug. Use as your discretion.
Cool! Good feature!
but in this case it is a problem of a new feature in development, and is
not so much an exploit as a failure to login. So it good for this to
be open.
Jan - any luck reproducing with the test harness?
I'm pretty sure this is something to do with the fact that we now scope
for servlets before calling the security handler, so the path is
now split into servletPath and pathInfo depending on the mappings.
I think the security stuff was only looking at pathInfo because it
used to
only be called before servlet scoping.
Right, that's the problem. I opened bug 278887 and patched
FormAuthenticator like this:
- String uri = request.getPathInfo();
+ String uri = request.getRequestURL().toString();
Is there a string already computed that would work as well as
getRequestURL() and be quicker than constructing a StringBuffer and then
a String?
thanks
david jencks
cheers
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
--
Jan Bartel, Webtide LLC | janb@xxxxxxxxxxx | http://www.webtide.com
