Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62067

markt-asf · markt-asf · commit 9e700b93e3bf · 2018-02-06T11:40:42.000Z
Correctly apply security constraints mapped to the context root using a URL pattern of "" git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk@1823308 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
@@ -757,9 +757,9 @@ public void backgroundProcess() {
 
         // Check each defined security constraint
         String uri = request.getRequestPathMB().toString();
-        // Bug47080 - in rare cases this may be null
+        // Bug47080 - in rare cases this may be null or ""
         // Mapper treats as '/' do the same to prevent NPE
-        if (uri == null) {
+        if (uri == null || uri.length() == 0) {
             uri = "/";
         }
 
@@ -791,7 +791,8 @@ public void backgroundProcess() {
                 }
 
                 for(int k=0; k < patterns.length; k++) {
-                    if(uri.equals(patterns[k])) {
+                    // Exact match including special case for the context root.
+                    if(uri.equals(patterns[k]) || patterns[k].length() == 0 && uri.equals("/")) {
                         found = true;
                         if(collection[j].findMethod(method)) {
                             if(results == null) {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -69,6 +69,10 @@
         rather than the user facing Principal object as Tomcat requires the
         internal object to correctly process later authorization checks. (markt)
       </fix>
+      <fix>
+        <bug>62067</bug>: Correctly apply security constraints mapped to the
+        context root using a URL pattern of <code>&quot;&quot;</code>. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">
