CVE-2015-5345

@@ -236,6 +236,20 @@ public boolean authenticate(Request request,
 
         // No -- Save this request and redirect to the form login page
         if (!loginAction) {
+            // If this request was to the root of the context without a trailing
+            // '/', need to redirect to add it else the submit of the login form
+            // may not go to the correct web application
+            if (request.getServletPath().length() == 0 && request.getPathInfo() == null) {
+                StringBuilder location = new StringBuilder(requestURI);
+                location.append('/');
+                if (request.getQueryString() != null) {
+                    location.append('?');
+                    location.append(request.getQueryString());
+                }
+                response.sendRedirect(response.encodeRedirectURL(location.toString()));
+                return false;
+            }
+
             session = request.getSessionInternal(true);
             if (log.isDebugEnabled()) {
                 log.debug("Save request in session '" + session.getIdInternal() + "'");

@@ -375,6 +375,10 @@ public void init() throws ServletException {
      * @param request The servlet request we are processing
      */
     protected String getRelativePath(HttpServletRequest request) {
+        return getRelativePath(request, false);
+    }
+
+    protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) {
         // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
         // serves resources from the web app root with context rooted paths.
         // i.e. it can not be used to mount the web app root under a sub-path
@@ -400,7 +404,7 @@ protected String getRelativePath(HttpServletRequest request) {
         if (pathInfo != null) {
             result.append(pathInfo);
         }
-        if (result.length() == 0) {
+        if (result.length() == 0 && !allowEmptyPath) {
             result.append('/');
         }
 
@@ -778,7 +782,8 @@ protected void serveResource(HttpServletRequest request,
         boolean serveContent = content;
 
         // Identify the requested resource path
-        String path = getRelativePath(request);
+        String path = getRelativePath(request, true);
+
         if (debug > 0) {
             if (serveContent)
                 log("DefaultServlet.serveResource:  Serving resource '" +
@@ -788,6 +793,12 @@ protected void serveResource(HttpServletRequest request,
                     path + "' headers only");
         }
 
+        if (path.length() == 0) {
+            // Context root redirect
+            doDirectoryRedirect(request, response);
+            return;
+        }
+
         CacheEntry cacheEntry = resources.lookupCache(path);
 
         if (!cacheEntry.exists) {
@@ -857,13 +868,7 @@ protected void serveResource(HttpServletRequest request,
         if (cacheEntry.context != null) {
 
             if (!path.endsWith("/")) {
-                StringBuilder location = new StringBuilder(request.getRequestURI());
-                location.append('/');
-                if (request.getQueryString() != null) {
-                    location.append('?');
-                    location.append(request.getQueryString());
-                }
-                response.sendRedirect(response.encodeRedirectURL(location.toString()));
+                doDirectoryRedirect(request, response);
                 return;
             }
 
@@ -1074,6 +1079,16 @@ protected void serveResource(HttpServletRequest request,
 
     }
 
+    private void doDirectoryRedirect(HttpServletRequest request, HttpServletResponse response)
+            throws IOException {
+        StringBuilder location = new StringBuilder(request.getRequestURI());
+        location.append('/');
+        if (request.getQueryString() != null) {
+            location.append('?');
+            location.append(request.getQueryString());
+        }
+        response.sendRedirect(response.encodeRedirectURL(location.toString()));
+    }
 
     /**
      * Parse the content-range header.

@@ -430,6 +430,11 @@ protected boolean checkIfHeaders(HttpServletRequest request,
      */
     @Override
     protected String getRelativePath(HttpServletRequest request) {
+        return getRelativePath(request, false);
+    }
+
+    @Override
+    protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) {
         String pathInfo;
 
         if (request.getAttribute(RequestDispatcher.INCLUDE_REQUEST_URI) != null) {

@@ -887,20 +887,13 @@ private final void internalMapWrapper(ContextVersion contextVersion,
 
         int pathOffset = path.getOffset();
         int pathEnd = path.getEnd();
-        int servletPath = pathOffset;
         boolean noServletPath = false;
 
         int length = contextVersion.path.length();
-        if (length != (pathEnd - pathOffset)) {
-            servletPath = pathOffset + length;
-        } else {
+        if (length == (pathEnd - pathOffset)) {
             noServletPath = true;
-            path.append('/');
-            pathOffset = path.getOffset();
-            pathEnd = path.getEnd();
-            servletPath = pathOffset+length;
         }
-
+        int servletPath = pathOffset + length;
         path.setOffset(servletPath);
 
         // Rule 1 -- Exact Match
@@ -938,8 +931,10 @@ private final void internalMapWrapper(ContextVersion contextVersion,
         if(mappingData.wrapper == null && noServletPath &&
                 contextVersion.mapperContextRootRedirectEnabled) {
             // The path is empty, redirect to "/"
+            path.append('/');
+            pathEnd = path.getEnd();
             mappingData.redirectPath.setChars
-                (path.getBuffer(), pathOffset, pathEnd-pathOffset);
+                (path.getBuffer(), pathOffset, pathEnd - pathOffset);
             path.setEnd(pathEnd - 1);
             return;
         }
@@ -1060,7 +1055,11 @@ private final void internalMapWrapper(ContextVersion contextVersion,
                 Object file = null;
                 String pathStr = path.toString();
                 try {
-                    file = contextVersion.resources.lookup(pathStr);
+                    if (pathStr.length() == 0) {
+                        file = contextVersion.resources.lookup("/");
+                    } else {
+                        file = contextVersion.resources.lookup(pathStr);
+                    }
                 } catch(NamingException nex) {
                     // Swallow, since someone else handles the 404
                 }

@@ -58,6 +58,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 7.0.67 (violetagg)">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        <bug>58660</bug>: Correct a regression in 8.0.29 caused by the change
+        that moved the redirection for context roots from the Mapper to the
+        Default Servlet. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="WebSocket">
     <changelog>
       <fix>

@@ -214,6 +214,20 @@ public boolean authenticate(Request request, HttpServletResponse response)
 
         // No -- Save this request and redirect to the form login page
         if (!loginAction) {
+            // If this request was to the root of the context without a trailing
+            // '/', need to redirect to add it else the submit of the login form
+            // may not go to the correct web application
+            if (request.getServletPath().length() == 0 && request.getPathInfo() == null) {
+                StringBuilder location = new StringBuilder(requestURI);
+                location.append('/');
+                if (request.getQueryString() != null) {
+                    location.append('?');
+                    location.append(request.getQueryString());
+                }
+                response.sendRedirect(response.encodeRedirectURL(location.toString()));
+                return false;
+            }
+
             session = request.getSessionInternal(true);
             if (log.isDebugEnabled()) {
                 log.debug("Save request in session '" + session.getIdInternal() + "'");

@@ -836,20 +836,13 @@ private final void internalMapWrapper(ContextVersion contextVersion,
 
         int pathOffset = path.getOffset();
         int pathEnd = path.getEnd();
-        int servletPath = pathOffset;
         boolean noServletPath = false;
 
         int length = contextVersion.path.length();
-        if (length != (pathEnd - pathOffset)) {
-            servletPath = pathOffset + length;
-        } else {
+        if (length == (pathEnd - pathOffset)) {
             noServletPath = true;
-            path.append('/');
-            pathOffset = path.getOffset();
-            pathEnd = path.getEnd();
-            servletPath = pathOffset+length;
         }
-
+        int servletPath = pathOffset + length;
         path.setOffset(servletPath);
 
         // Rule 1 -- Exact Match
@@ -887,8 +880,10 @@ private final void internalMapWrapper(ContextVersion contextVersion,
         if(mappingData.wrapper == null && noServletPath &&
                 mappingData.context.getMapperContextRootRedirectEnabled()) {
             // The path is empty, redirect to "/"
+            path.append('/');
+            pathEnd = path.getEnd();
             mappingData.redirectPath.setChars
-                (path.getBuffer(), pathOffset, pathEnd-pathOffset);
+                (path.getBuffer(), pathOffset, pathEnd - pathOffset);
             path.setEnd(pathEnd - 1);
             return;
         }
@@ -1003,7 +998,13 @@ private final void internalMapWrapper(ContextVersion contextVersion,
             char[] buf = path.getBuffer();
             if (contextVersion.resources != null && buf[pathEnd -1 ] != '/') {
                 String pathStr = path.toString();
-                WebResource file = contextVersion.resources.getResource(pathStr);
+                WebResource file;
+                // Handle context root
+                if (pathStr.length() == 0) {
+                    file = contextVersion.resources.getResource("/");
+                } else {
+                    file = contextVersion.resources.getResource(pathStr);
+                }
                 if (file != null && file.isDirectory() &&
                         mappingData.context.getMapperDirectoryRedirectEnabled()) {
                     // Note: this mutates the path: do not do any processing

@@ -331,6 +331,10 @@ public void init() throws ServletException {
      * @param request The servlet request we are processing
      */
     protected String getRelativePath(HttpServletRequest request) {
+        return getRelativePath(request, false);
+    }
+
+    protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) {
         // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
         // serves resources from the web app root with context rooted paths.
         // i.e. it can not be used to mount the web app root under a sub-path
@@ -356,7 +360,7 @@ protected String getRelativePath(HttpServletRequest request) {
         if (pathInfo != null) {
             result.append(pathInfo);
         }
-        if (result.length() == 0) {
+        if (result.length() == 0 && !allowEmptyPath) {
             result.append('/');
         }
 
@@ -686,7 +690,8 @@ protected void serveResource(HttpServletRequest request,
         boolean serveContent = content;
 
         // Identify the requested resource path
-        String path = getRelativePath(request);
+        String path = getRelativePath(request, true);
+
         if (debug > 0) {
             if (serveContent)
                 log("DefaultServlet.serveResource:  Serving resource '" +
@@ -696,6 +701,12 @@ protected void serveResource(HttpServletRequest request,
                     path + "' headers only");
         }
 
+        if (path.length() == 0) {
+            // Context root redirect
+            doDirectoryRedirect(request, response);
+            return;
+        }
+
         WebResource resource = resources.getResource(path);
 
         if (!resource.exists()) {
@@ -811,13 +822,7 @@ protected void serveResource(HttpServletRequest request,
 
         if (resource.isDirectory()) {
             if (!path.endsWith("/")) {
-                StringBuilder location = new StringBuilder(request.getRequestURI());
-                location.append('/');
-                if (request.getQueryString() != null) {
-                    location.append('?');
-                    location.append(request.getQueryString());
-                }
-                response.sendRedirect(response.encodeRedirectURL(location.toString()));
+                doDirectoryRedirect(request, response);
                 return;
             }
 
@@ -1026,6 +1031,16 @@ protected void serveResource(HttpServletRequest request,
         }
     }
 
+    private void doDirectoryRedirect(HttpServletRequest request, HttpServletResponse response)
+            throws IOException {
+        StringBuilder location = new StringBuilder(request.getRequestURI());
+        location.append('/');
+        if (request.getQueryString() != null) {
+            location.append('?');
+            location.append(request.getQueryString());
+        }
+        response.sendRedirect(response.encodeRedirectURL(location.toString()));
+    }
 
     /**
      * Parse the content-range header.

@@ -375,6 +375,11 @@ protected boolean checkIfHeaders(HttpServletRequest request,
      */
     @Override
     protected String getRelativePath(HttpServletRequest request) {
+        return getRelativePath(request, false);
+    }
+
+    @Override
+    protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) {
         String pathInfo;
 
         if (request.getAttribute(RequestDispatcher.INCLUDE_REQUEST_URI) != null) {

@@ -61,6 +61,11 @@
         running Tomcat with a Java agent. Based on a patch by Huxing Zhang.
         (markt)
       </fix>
+      <fix>
+        <bug>58660</bug>: Correct a regression in 8.0.29 caused by the change
+        that moved the redirection for context roots from the Mapper to the
+        Default Servlet. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

@@ -879,8 +879,10 @@ private final void internalMapWrapper(ContextVersion contextVersion,
         if(mappingData.wrapper == null && noServletPath &&
                 mappingData.context.getMapperContextRootRedirectEnabled()) {
             // The path is empty, redirect to "/"
+            path.append('/');
+            pathEnd = path.getEnd();
             mappingData.redirectPath.setChars
-                (path.getBuffer(), pathOffset, pathEnd-pathOffset);
+                (path.getBuffer(), pathOffset, pathEnd - pathOffset);
             path.setEnd(pathEnd - 1);
             return;
         }

@@ -879,8 +879,10 @@ private final void internalMapWrapper(ContextVersion contextVersion,
         if(mappingData.wrapper == null && noServletPath &&
                 mappingData.context.getMapperContextRootRedirectEnabled()) {
             // The path is empty, redirect to "/"
+            path.append('/');
+            pathEnd = path.getEnd();
             mappingData.redirectPath.setChars
-                (path.getBuffer(), pathOffset, pathEnd-pathOffset);
+                (path.getBuffer(), pathOffset, pathEnd - pathOffset);
             path.setEnd(pathEnd - 1);
             return;
         }

@@ -219,6 +219,20 @@ public boolean authenticate(Request request, HttpServletResponse response)
 
         // No -- Save this request and redirect to the form login page
         if (!loginAction) {
+            // If this request was to the root of the context without a trailing
+            // '/', need to redirect to add it else the submit of the login form
+            // may not go to the correct web application
+            if (request.getServletPath().length() == 0 && request.getPathInfo() == null) {
+                StringBuilder location = new StringBuilder(requestURI);
+                location.append('/');
+                if (request.getQueryString() != null) {
+                    location.append('?');
+                    location.append(request.getQueryString());
+                }
+                response.sendRedirect(response.encodeRedirectURL(location.toString()));
+                return false;
+            }
+
             session = request.getSessionInternal(true);
             if (log.isDebugEnabled()) {
                 log.debug("Save request in session '" + session.getIdInternal() + "'");

@@ -835,20 +835,13 @@ private final void internalMapWrapper(ContextVersion contextVersion,
 
         int pathOffset = path.getOffset();
         int pathEnd = path.getEnd();
-        int servletPath = pathOffset;
         boolean noServletPath = false;
 
         int length = contextVersion.path.length();
-        if (length != (pathEnd - pathOffset)) {
-            servletPath = pathOffset + length;
-        } else {
+        if (length == (pathEnd - pathOffset)) {
             noServletPath = true;
-            path.append('/');
-            pathOffset = path.getOffset();
-            pathEnd = path.getEnd();
-            servletPath = pathOffset+length;
         }
-
+        int servletPath = pathOffset + length;
         path.setOffset(servletPath);
 
         // Rule 1 -- Exact Match
@@ -1002,7 +995,13 @@ private final void internalMapWrapper(ContextVersion contextVersion,
             char[] buf = path.getBuffer();
             if (contextVersion.resources != null && buf[pathEnd -1 ] != '/') {
                 String pathStr = path.toString();
-                WebResource file = contextVersion.resources.getResource(pathStr);
+                WebResource file;
+                // Handle context root
+                if (pathStr.length() == 0) {
+                    file = contextVersion.resources.getResource("/");
+                } else {
+                    file = contextVersion.resources.getResource(pathStr);
+                }
                 if (file != null && file.isDirectory() &&
                         mappingData.context.getMapperDirectoryRedirectEnabled()) {
                     // Note: this mutates the path: do not do any processing

@@ -331,6 +331,10 @@ public void init() throws ServletException {
      * @param request The servlet request we are processing
      */
     protected String getRelativePath(HttpServletRequest request) {
+        return getRelativePath(request, false);
+    }
+
+    protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) {
         // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
         // serves resources from the web app root with context rooted paths.
         // i.e. it cannot be used to mount the web app root under a sub-path
@@ -356,7 +360,7 @@ protected String getRelativePath(HttpServletRequest request) {
         if (pathInfo != null) {
             result.append(pathInfo);
         }
-        if (result.length() == 0) {
+        if (result.length() == 0 && !allowEmptyPath) {
             result.append('/');
         }
 
@@ -686,7 +690,8 @@ protected void serveResource(HttpServletRequest request,
         boolean serveContent = content;
 
         // Identify the requested resource path
-        String path = getRelativePath(request);
+        String path = getRelativePath(request, true);
+
         if (debug > 0) {
             if (serveContent)
                 log("DefaultServlet.serveResource:  Serving resource '" +
@@ -696,6 +701,12 @@ protected void serveResource(HttpServletRequest request,
                     path + "' headers only");
         }
 
+        if (path.length() == 0) {
+            // Context root redirect
+            doDirectoryRedirect(request, response);
+            return;
+        }
+
         WebResource resource = resources.getResource(path);
 
         if (!resource.exists()) {
@@ -811,13 +822,7 @@ protected void serveResource(HttpServletRequest request,
 
         if (resource.isDirectory()) {
             if (!path.endsWith("/")) {
-                StringBuilder location = new StringBuilder(request.getRequestURI());
-                location.append('/');
-                if (request.getQueryString() != null) {
-                    location.append('?');
-                    location.append(request.getQueryString());
-                }
-                response.sendRedirect(response.encodeRedirectURL(location.toString()));
+                doDirectoryRedirect(request, response);
                 return;
             }
 
@@ -1026,6 +1031,16 @@ protected void serveResource(HttpServletRequest request,
         }
     }
 
+    private void doDirectoryRedirect(HttpServletRequest request, HttpServletResponse response)
+            throws IOException {
+        StringBuilder location = new StringBuilder(request.getRequestURI());
+        location.append('/');
+        if (request.getQueryString() != null) {
+            location.append('?');
+            location.append(request.getQueryString());
+        }
+        response.sendRedirect(response.encodeRedirectURL(location.toString()));
+    }
 
     /**
      * Parse the content-range header.

@@ -219,6 +219,20 @@ public boolean authenticate(Request request, HttpServletResponse response)
 
         // No -- Save this request and redirect to the form login page
         if (!loginAction) {
+            // If this request was to the root of the context without a trailing
+            // '/', need to redirect to add it else the submit of the login form
+            // may not go to the correct web application
+            if (request.getServletPath().length() == 0 && request.getPathInfo() == null) {
+                StringBuilder location = new StringBuilder(requestURI);
+                location.append('/');
+                if (request.getQueryString() != null) {
+                    location.append('?');
+                    location.append(request.getQueryString());
+                }
+                response.sendRedirect(response.encodeRedirectURL(location.toString()));
+                return false;
+            }
+
             session = request.getSessionInternal(true);
             if (log.isDebugEnabled()) {
                 log.debug("Save request in session '" + session.getIdInternal() + "'");

@@ -835,20 +835,13 @@ private final void internalMapWrapper(ContextVersion contextVersion,
 
         int pathOffset = path.getOffset();
         int pathEnd = path.getEnd();
-        int servletPath = pathOffset;
         boolean noServletPath = false;
 
         int length = contextVersion.path.length();
-        if (length != (pathEnd - pathOffset)) {
-            servletPath = pathOffset + length;
-        } else {
+        if (length == (pathEnd - pathOffset)) {
             noServletPath = true;
-            path.append('/');
-            pathOffset = path.getOffset();
-            pathEnd = path.getEnd();
-            servletPath = pathOffset+length;
         }
-
+        int servletPath = pathOffset + length;
         path.setOffset(servletPath);
 
         // Rule 1 -- Exact Match
@@ -1002,7 +995,13 @@ private final void internalMapWrapper(ContextVersion contextVersion,
             char[] buf = path.getBuffer();
             if (contextVersion.resources != null && buf[pathEnd -1 ] != '/') {
                 String pathStr = path.toString();
-                WebResource file = contextVersion.resources.getResource(pathStr);
+                WebResource file;
+                // Handle context root
+                if (pathStr.length() == 0) {
+                    file = contextVersion.resources.getResource("/");
+                } else {
+                    file = contextVersion.resources.getResource(pathStr);
+                }
                 if (file != null && file.isDirectory() &&
                         mappingData.context.getMapperDirectoryRedirectEnabled()) {
                     // Note: this mutates the path: do not do any processing

@@ -331,6 +331,10 @@ public void init() throws ServletException {
      * @param request The servlet request we are processing
      */
     protected String getRelativePath(HttpServletRequest request) {
+        return getRelativePath(request, false);
+    }
+
+    protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) {
         // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
         // serves resources from the web app root with context rooted paths.
         // i.e. it cannot be used to mount the web app root under a sub-path
@@ -356,7 +360,7 @@ protected String getRelativePath(HttpServletRequest request) {
         if (pathInfo != null) {
             result.append(pathInfo);
         }
-        if (result.length() == 0) {
+        if (result.length() == 0 && !allowEmptyPath) {
             result.append('/');
         }
 
@@ -686,7 +690,8 @@ protected void serveResource(HttpServletRequest request,
         boolean serveContent = content;
 
         // Identify the requested resource path
-        String path = getRelativePath(request);
+        String path = getRelativePath(request, true);
+
         if (debug > 0) {
             if (serveContent)
                 log("DefaultServlet.serveResource:  Serving resource '" +
@@ -696,6 +701,12 @@ protected void serveResource(HttpServletRequest request,
                     path + "' headers only");
         }
 
+        if (path.length() == 0) {
+            // Context root redirect
+            doDirectoryRedirect(request, response);
+            return;
+        }
+
         WebResource resource = resources.getResource(path);
 
         if (!resource.exists()) {
@@ -811,13 +822,7 @@ protected void serveResource(HttpServletRequest request,
 
         if (resource.isDirectory()) {
             if (!path.endsWith("/")) {
-                StringBuilder location = new StringBuilder(request.getRequestURI());
-                location.append('/');
-                if (request.getQueryString() != null) {
-                    location.append('?');
-                    location.append(request.getQueryString());
-                }
-                response.sendRedirect(response.encodeRedirectURL(location.toString()));
+                doDirectoryRedirect(request, response);
                 return;
             }
 
@@ -1026,6 +1031,16 @@ protected void serveResource(HttpServletRequest request,
         }
     }
 
+    private void doDirectoryRedirect(HttpServletRequest request, HttpServletResponse response)
+            throws IOException {
+        StringBuilder location = new StringBuilder(request.getRequestURI());
+        location.append('/');
+        if (request.getQueryString() != null) {
+            location.append('?');
+            location.append(request.getQueryString());
+        }
+        response.sendRedirect(response.encodeRedirectURL(location.toString()));
+    }
 
     /**
      * Parse the content-range header.

@@ -384,7 +384,8 @@ private void registerContext(Context context) {
 
         mapper.addContextVersion(host.getName(), host, contextPath,
                 context.getWebappVersion(), context, welcomeFiles, resources,
-                wrappers);
+                wrappers, context.getMapperContextRootRedirectEnabled(),
+                context.getMapperDirectoryRedirectEnabled());
 
         if(log.isDebugEnabled()) {
             log.debug(sm.getString("mapperListener.registerContext",

@@ -1642,4 +1642,44 @@ Set<String> addServletSecurity(ApplicationServletRegistration registration,
      *         false}
      */
     public boolean getValidateClientProvidedNewSessionId();
+
+    /**
+     * If enabled, requests for a web application context root will be
+     * redirected (adding a trailing slash) by the Mapper. This is more
+     * efficient but has the side effect of confirming that the context path is
+     * valid.
+     *
+     * @param mapperContextRootRedirectEnabled Should the redirects be enabled?
+     */
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled);
+
+    /**
+     * Determines if requests for a web application context root will be
+     * redirected (adding a trailing slash) by the Mapper. This is more
+     * efficient but has the side effect of confirming that the context path is
+     * valid.
+     *
+     * @return {@code true} if the Mapper level redirect is enabled for this
+     *         Context.
+     */
+    public boolean getMapperContextRootRedirectEnabled();
+
+    /**
+     * If enabled, requests for a directory will be redirected (adding a
+     * trailing slash) by the Mapper. This is more efficient but has the
+     * side effect of confirming that the directory is valid.
+     *
+     * @param mapperDirectoryRedirectEnabled Should the redirects be enabled?
+     */
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled);
+
+    /**
+     * Determines if requests for a directory will be redirected (adding a
+     * trailing slash) by the Mapper. This is more efficient but has the
+     * side effect of confirming that the directory is valid.
+     *
+     * @return {@code true} if the Mapper level redirect is enabled for this
+     *         Context.
+     */
+    public boolean getMapperDirectoryRedirectEnabled();
 }

@@ -221,6 +221,14 @@
                description="The object used for mapping"
                type="java.lang.Object"/>
       
+    <attribute name="mapperContextRootRedirectEnabled"
+               description="Should the Mapper be used for context root redirects"
+               type="boolean" />
+
+    <attribute name="mapperDirectoryRedirectEnabled"
+               description="Should the Mapper be used for directory redirects"
+               type="boolean" />
+
     <attribute name="namingContextListener"
                description="Associated naming context listener."
                type="org.apache.catalina.core.NamingContextListener" />

@@ -911,15 +911,53 @@ public StandardContext() {
 
     private boolean validateClientProvidedNewSessionId = true;
 
-    
+    boolean mapperContextRootRedirectEnabled = false;
+
+    boolean mapperDirectoryRedirectEnabled = false;
+
+
     // ----------------------------------------------------- Context Properties
     
+    @Override
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
+        this.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled;
+    }
+
+
+    /**
+     * {@inheritDoc}
+     * <p>
+     * The default value for this implementation is {@code false}.
+     */
+    @Override
+    public boolean getMapperContextRootRedirectEnabled() {
+        return mapperContextRootRedirectEnabled;
+    }
+
+
+    @Override
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
+        this.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled;
+    }
+
+
+    /**
+     * {@inheritDoc}
+     * <p>
+     * The default value for this implementation is {@code false}.
+     */
+    @Override
+    public boolean getMapperDirectoryRedirectEnabled() {
+        return mapperDirectoryRedirectEnabled;
+    }
+
+
     @Override
     public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
         this.validateClientProvidedNewSessionId = validateClientProvidedNewSessionId;
     }
 
-    
+
     /**
      * {@inheritDoc}
      * <p>
@@ -930,7 +968,7 @@ public boolean getValidateClientProvidedNewSessionId() {
         return validateClientProvidedNewSessionId;
     }
 
-    
+
     @Override
     public void setContainerSciFilter(String containerSciFilter) {
         this.containerSciFilter = containerSciFilter;

@@ -862,6 +862,17 @@ protected void serveResource(HttpServletRequest request,
 
         if (cacheEntry.context != null) {
 
+            if (!path.endsWith("/")) {
+                StringBuilder location = new StringBuilder(request.getRequestURI());
+                location.append('/');
+                if (request.getQueryString() != null) {
+                    location.append('?');
+                    location.append(request.getQueryString());
+                }
+                response.sendRedirect(response.encodeRedirectURL(location.toString()));
+                return;
+            }
+
             // Skip directory listings if we have been configured to
             // suppress them
             if (!listings) {

@@ -706,9 +706,25 @@ public void setContainerSciFilter(String containerSciFilter) { /* NO-OP */ }
 
     @Override
     public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
-        //NO-OP
+        // NO-OP
     }
 
     @Override
     public boolean getValidateClientProvidedNewSessionId() { return false; }
+
+    @Override
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperContextRootRedirectEnabled() { return false; }
+
+    @Override
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperDirectoryRedirectEnabled() { return false; }
 }
\ No newline at end of file

@@ -248,7 +248,8 @@ public void setContext(String path, String[] welcomeResources,
      * @param context Context object
      * @param welcomeResources Welcome files defined for this context
      * @param resources Static resources of the context
-     * @deprecated Use {@link #addContextVersion(String, Object, String, String, Object, String[], javax.naming.Context, Collection)}
+     * @deprecated Use {@link #addContextVersion(String, Object, String, String, Object, String[],
+     *             javax.naming.Context, Collection, boolean, boolean)}
      */
     @Deprecated
     public void addContextVersion(String hostName, Object host, String path,
@@ -258,6 +259,7 @@ public void addContextVersion(String hostName, Object host, String path,
                 welcomeResources, resources, null);
     }
 
+    
     /**
      * Add a new Context to an existing Host.
      *
@@ -269,10 +271,36 @@ public void addContextVersion(String hostName, Object host, String path,
      * @param welcomeResources Welcome files defined for this context
      * @param resources Static resources of the context
      * @param wrappers Information on wrapper mappings
+     * @deprecated Use {@link #addContextVersion(String, Object, String, String, Object, String[],
+     *             javax.naming.Context, Collection, boolean, boolean)}
      */
+    @Deprecated
     public void addContextVersion(String hostName, Object host, String path,
             String version, Object context, String[] welcomeResources,
             javax.naming.Context resources, Collection<WrapperMappingInfo> wrappers) {
+        addContextVersion(hostName, host, path, version, context, welcomeResources, resources,
+                wrappers, false, false);
+    }
+    
+    
+    /**
+     * Add a new Context to an existing Host.
+     *
+     * @param hostName Virtual host name this context belongs to
+     * @param host Host object
+     * @param path Context path
+     * @param version Context version
+     * @param context Context object
+     * @param welcomeResources Welcome files defined for this context
+     * @param resources Static resources of the context
+     * @param wrappers Information on wrapper mappings
+     * @param mapperContextRootRedirectEnabled Mapper does context root redirects
+     * @param mapperDirectoryRedirectEnabled Mapper does directory redirects
+     */
+    public void addContextVersion(String hostName, Object host, String path,
+            String version, Object context, String[] welcomeResources,
+            javax.naming.Context resources, Collection<WrapperMappingInfo> wrappers,
+            boolean mapperContextRootRedirectEnabled, boolean mapperDirectoryRedirectEnabled) {
 
         Host mappedHost = exactFind(hosts, hostName);
         if (mappedHost == null) {
@@ -294,6 +322,9 @@ public void addContextVersion(String hostName, Object host, String path,
             newContextVersion.slashCount = slashCount;
             newContextVersion.welcomeResources = welcomeResources;
             newContextVersion.resources = resources;
+            newContextVersion.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled;
+            newContextVersion.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled;
+            
             if (wrappers != null) {
                 addWrappers(newContextVersion, wrappers);
             }
@@ -904,7 +935,8 @@ private final void internalMapWrapper(ContextVersion contextVersion,
             }
         }
 
-        if(mappingData.wrapper == null && noServletPath) {
+        if(mappingData.wrapper == null && noServletPath &&
+                contextVersion.mapperContextRootRedirectEnabled) {
             // The path is empty, redirect to "/"
             mappingData.redirectPath.setChars
                 (path.getBuffer(), pathOffset, pathEnd-pathOffset);
@@ -1032,7 +1064,8 @@ private final void internalMapWrapper(ContextVersion contextVersion,
                 } catch(NamingException nex) {
                     // Swallow, since someone else handles the 404
                 }
-                if (file != null && file instanceof DirContext) {
+                if (file != null && file instanceof DirContext &&
+                        contextVersion.mapperDirectoryRedirectEnabled) {
                     // Note: this mutates the path: do not do any processing
                     // after this (since we set the redirectPath, there
                     // shouldn't be any)
@@ -1049,7 +1082,6 @@ private final void internalMapWrapper(ContextVersion contextVersion,
 
         path.setOffset(pathOffset);
         path.setEnd(pathEnd);
-
     }
 
 
@@ -1684,6 +1716,8 @@ protected static final class ContextVersion extends MapElement {
         public Wrapper[] wildcardWrappers = new Wrapper[0];
         public Wrapper[] extensionWrappers = new Wrapper[0];
         public int nesting = 0;
+        public boolean mapperContextRootRedirectEnabled = false;
+        public boolean mapperDirectoryRedirectEnabled = false;
         private volatile boolean paused;
 
         public ContextVersion() {

@@ -1227,4 +1227,20 @@ public void setValidateClientProvidedNewSessionId(boolean validateClientProvided
 
     @Override
     public boolean getValidateClientProvidedNewSessionId() { return false; }
+
+    @Override
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperContextRootRedirectEnabled() { return false; }
+
+    @Override
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperDirectoryRedirectEnabled() { return false; }
 }

@@ -631,8 +631,7 @@ public static int methodUrl(String path, ByteChunk out, int readTimeout,
             String method) throws IOException {
 
         URL url = new URL(path);
-        HttpURLConnection connection =
-            (HttpURLConnection) url.openConnection();
+        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
         connection.setUseCaches(false);
         connection.setReadTimeout(readTimeout);
         connection.setRequestMethod(method);

@@ -18,6 +18,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.util.HashMap;
 import java.util.List;
 
@@ -31,8 +32,11 @@
 
 import org.apache.catalina.Context;
 import org.apache.catalina.core.StandardContext;
+import org.apache.catalina.deploy.SecurityCollection;
+import org.apache.catalina.deploy.SecurityConstraint;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.catalina.valves.RemoteAddrValve;
 import org.apache.tomcat.util.buf.ByteChunk;
 
 /**
@@ -223,6 +227,66 @@ public void testWelcomeFileStrict() throws Exception {
         Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, rc);
     }
 
+    @Test
+    public void testRedirect() throws Exception {
+        // Disable the following of redirects for this test only
+        boolean originalValue = HttpURLConnection.getFollowRedirects();
+        HttpURLConnection.setFollowRedirects(false);
+        try {
+            Tomcat tomcat = getTomcatInstance();
+
+            // Use standard test webapp as ROOT
+            File rootDir = new File("test/webapp-3.0");
+            org.apache.catalina.Context root =
+                    tomcat.addWebapp(null, "", rootDir.getAbsolutePath());
+
+            // Add a security constraint
+            SecurityConstraint constraint = new SecurityConstraint();
+            SecurityCollection collection = new SecurityCollection();
+            collection.addPattern("/welcome-files/*");
+            collection.addPattern("/welcome-files");
+            constraint.addCollection(collection);
+            constraint.addAuthRole("foo");
+            root.addConstraint(constraint);
+
+            // Also make examples available
+            File examplesDir = new File(getBuildDirectory(), "webapps/examples");
+            org.apache.catalina.Context examples  = tomcat.addWebapp(
+                    null, "/examples", examplesDir.getAbsolutePath());
+            // Then block access to the examples to test redirection
+            RemoteAddrValve rav = new RemoteAddrValve();
+            rav.setDeny(".*");
+            rav.setDenyStatus(404);
+            examples.getPipeline().addValve(rav);
+
+            tomcat.start();
+
+            // Redirects within a web application
+            doRedirectTest("/welcome-files", 401);
+            doRedirectTest("/welcome-files/", 401);
+
+            doRedirectTest("/jsp", 302);
+            doRedirectTest("/jsp/", 404);
+
+            doRedirectTest("/WEB-INF", 404);
+            doRedirectTest("/WEB-INF/", 404);
+
+            // Redirects between web applications
+            doRedirectTest("/examples", 404);
+            doRedirectTest("/examples/", 404);
+        } finally {
+            HttpURLConnection.setFollowRedirects(originalValue);
+        }
+    }
+
+
+    private void doRedirectTest(String path, int expected) throws IOException {
+        ByteChunk bc = new ByteChunk();
+        int rc = getUrl("http://localhost:" + getPort() + path, bc, null);
+        Assert.assertEquals(expected, rc);
+    }
+
+
     /**
      * Prepare a string to search in messages that contain a timestamp, when it
      * is known that the timestamp was printed between {@code timeA} and

@@ -171,6 +171,16 @@
         Ensure that in an embedded Tomcat the logging configuration is
         not lost during garbage collection. (violetagg)
       </fix>
+      <add>
+        Move the functionality that provides redirects for context roots and
+        directories where a trailing <code>/</code> is added from the Mapper to
+        the <code>DefaultServlet</code>. This enables such requests to be
+        processed by any configured Valves and Filters before the redirect is
+        made. This behaviour is configurable via the
+        <code>mapperContextRootRedirectEnabled</code> and
+        <code>mapperDirectoryRedirectEnabled</code> attributes of the Context
+        which may be used to restore the previous behaviour. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Cluster">

@@ -360,6 +360,22 @@
         default value of <code>false</code> is used.</p>
       </attribute>
 
+      <attribute name="mapperContextRootRedirectEnabled" required="false">
+        <p>If enabled, requests for a web application context root will be
+        redirected (adding a trailing slash) if necessary by the Mapper rather
+        than the default Servlet. This is more efficient but has the side effect
+        of confirming that the context path exists. If not specified, the
+        default value of <code>false</code> is used.</p>
+      </attribute>
+
+      <attribute name="mapperDirectoryRedirectEnabled" required="false">
+        <p>If enabled, requests for a web application directory will be
+        redirected (adding a trailing slash) if necessary by the Mapper rather
+        than the default Servlet. This is more efficient but has the side effect
+        of confirming that the directory is exists. If not specified, the
+        default value of <code>false</code> is used.</p>
+      </attribute>
+
       <attribute name="override" required="false">
         <p>Set to <code>true</code> to ignore any settings in both the global
         or <a href="host.html">Host</a> default contexts.  By default, settings

@@ -1698,4 +1698,44 @@ Set<String> addServletSecurity(ServletRegistration.Dynamic registration,
      *         false}
      */
     public boolean getValidateClientProvidedNewSessionId();
+
+    /**
+     * If enabled, requests for a web application context root will be
+     * redirected (adding a trailing slash) by the Mapper. This is more
+     * efficient but has the side effect of confirming that the context path is
+     * valid.
+     *
+     * @param mapperContextRootRedirectEnabled Should the redirects be enabled?
+     */
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled);
+
+    /**
+     * Determines if requests for a web application context root will be
+     * redirected (adding a trailing slash) by the Mapper. This is more
+     * efficient but has the side effect of confirming that the context path is
+     * valid.
+     *
+     * @return {@code true} if the Mapper level redirect is enabled for this
+     *         Context.
+     */
+    public boolean getMapperContextRootRedirectEnabled();
+
+    /**
+     * If enabled, requests for a directory will be redirected (adding a
+     * trailing slash) by the Mapper. This is more efficient but has the
+     * side effect of confirming that the directory is valid.
+     *
+     * @param mapperDirectoryRedirectEnabled Should the redirects be enabled?
+     */
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled);
+
+    /**
+     * Determines if requests for a directory will be redirected (adding a
+     * trailing slash) by the Mapper. This is more efficient but has the
+     * side effect of confirming that the directory is valid.
+     *
+     * @return {@code true} if the Mapper level redirect is enabled for this
+     *         Context.
+     */
+    public boolean getMapperDirectoryRedirectEnabled();
 }

@@ -177,6 +177,14 @@
                description="Associated manager."
                type="org.apache.catalina.Manager" />
 
+    <attribute name="mapperContextRootRedirectEnabled"
+               description="Should the Mapper be used for context root redirects"
+               type="boolean" />
+
+    <attribute name="mapperDirectoryRedirectEnabled"
+               description="Should the Mapper be used for directory redirects"
+               type="boolean" />
+
     <attribute name="namingContextListener"
                description="Associated naming context listener."
                type="org.apache.catalina.core.NamingContextListener" />

@@ -815,13 +815,53 @@ public void unbind() {}
 
     private boolean validateClientProvidedNewSessionId = true;
 
+    boolean mapperContextRootRedirectEnabled = false;
+
+    boolean mapperDirectoryRedirectEnabled = false;
+
+
     // ----------------------------------------------------- Context Properties
 
+    @Override
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
+        this.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled;
+    }
+
+
+    /**
+     * {@inheritDoc}
+     * <p>
+     * The default value for this implementation is {@code false}.
+     */
+    @Override
+    public boolean getMapperContextRootRedirectEnabled() {
+        return mapperContextRootRedirectEnabled;
+    }
+
+
+    @Override
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
+        this.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled;
+    }
+
+
+    /**
+     * {@inheritDoc}
+     * <p>
+     * The default value for this implementation is {@code false}.
+     */
+    @Override
+    public boolean getMapperDirectoryRedirectEnabled() {
+        return mapperDirectoryRedirectEnabled;
+    }
+
+
     @Override
     public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
         this.validateClientProvidedNewSessionId = validateClientProvidedNewSessionId;
     }
 
+
     /**
      * {@inheritDoc}
      * <p>
@@ -832,6 +872,7 @@ public boolean getValidateClientProvidedNewSessionId() {
         return validateClientProvidedNewSessionId;
     }
 
+
     @Override
     public void setCookieProcessor(CookieProcessor cookieProcessor) {
         if (cookieProcessor == null) {

@@ -884,7 +884,8 @@ private final void internalMapWrapper(ContextVersion contextVersion,
             }
         }
 
-        if(mappingData.wrapper == null && noServletPath) {
+        if(mappingData.wrapper == null && noServletPath &&
+                mappingData.context.getMapperContextRootRedirectEnabled()) {
             // The path is empty, redirect to "/"
             mappingData.redirectPath.setChars
                 (path.getBuffer(), pathOffset, pathEnd-pathOffset);
@@ -1002,9 +1003,9 @@ private final void internalMapWrapper(ContextVersion contextVersion,
             char[] buf = path.getBuffer();
             if (contextVersion.resources != null && buf[pathEnd -1 ] != '/') {
                 String pathStr = path.toString();
-                WebResource file =
-                        contextVersion.resources.getResource(pathStr);
-                if (file != null && file.isDirectory()) {
+                WebResource file = contextVersion.resources.getResource(pathStr);
+                if (file != null && file.isDirectory() &&
+                        mappingData.context.getMapperDirectoryRedirectEnabled()) {
                     // Note: this mutates the path: do not do any processing
                     // after this (since we set the redirectPath, there
                     // shouldn't be any)
@@ -1021,7 +1022,6 @@ private final void internalMapWrapper(ContextVersion contextVersion,
 
         path.setOffset(pathOffset);
         path.setEnd(pathEnd);
-
     }
 
 

@@ -816,6 +816,17 @@ protected void serveResource(HttpServletRequest request,
         long contentLength = -1L;
 
         if (resource.isDirectory()) {
+            if (!path.endsWith("/")) {
+                StringBuilder location = new StringBuilder(request.getRequestURI());
+                location.append('/');
+                if (request.getQueryString() != null) {
+                    location.append('?');
+                    location.append(request.getQueryString());
+                }
+                response.sendRedirect(response.encodeRedirectURL(location.toString()));
+                return;
+            }
+
             // Skip directory listings if we have been configured to
             // suppress them
             if (!listings) {

@@ -764,9 +764,25 @@ public void setCookieProcessor(CookieProcessor cookieProcessor) { /* NO-OP */ }
 
     @Override
     public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
-        //NO-OP
+        // NO-OP
     }
 
     @Override
     public boolean getValidateClientProvidedNewSessionId() { return false; }
+
+    @Override
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperContextRootRedirectEnabled() { return false; }
+
+    @Override
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperDirectoryRedirectEnabled() { return false; }
 }
\ No newline at end of file

@@ -1234,4 +1234,20 @@ public void setValidateClientProvidedNewSessionId(boolean validateClientProvided
 
     @Override
     public boolean getValidateClientProvidedNewSessionId() { return false; }
+
+    @Override
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperContextRootRedirectEnabled() { return false; }
+
+    @Override
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperDirectoryRedirectEnabled() { return false; }
 }

@@ -18,6 +18,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.util.HashMap;
 import java.util.List;
 
@@ -33,7 +34,10 @@
 import org.apache.catalina.core.StandardContext;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.catalina.valves.RemoteAddrValve;
 import org.apache.tomcat.util.buf.ByteChunk;
+import org.apache.tomcat.util.descriptor.web.SecurityCollection;
+import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
 import org.apache.tomcat.websocket.server.WsContextListener;
 
 /**
@@ -225,6 +229,66 @@ public void testWelcomeFileStrict() throws Exception {
         Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, rc);
     }
 
+    @Test
+    public void testRedirect() throws Exception {
+        // Disable the following of redirects for this test only
+        boolean originalValue = HttpURLConnection.getFollowRedirects();
+        HttpURLConnection.setFollowRedirects(false);
+        try {
+            Tomcat tomcat = getTomcatInstance();
+
+            // Use standard test webapp as ROOT
+            File rootDir = new File("test/webapp");
+            org.apache.catalina.Context root =
+                    tomcat.addWebapp(null, "", rootDir.getAbsolutePath());
+
+            // Add a security constraint
+            SecurityConstraint constraint = new SecurityConstraint();
+            SecurityCollection collection = new SecurityCollection();
+            collection.addPattern("/welcome-files/*");
+            collection.addPattern("/welcome-files");
+            constraint.addCollection(collection);
+            constraint.addAuthRole("foo");
+            root.addConstraint(constraint);
+
+            // Also make examples available
+            File examplesDir = new File(getBuildDirectory(), "webapps/examples");
+            org.apache.catalina.Context examples  = tomcat.addWebapp(
+                    null, "/examples", examplesDir.getAbsolutePath());
+            // Then block access to the examples to test redirection
+            RemoteAddrValve rav = new RemoteAddrValve();
+            rav.setDeny(".*");
+            rav.setDenyStatus(404);
+            examples.getPipeline().addValve(rav);
+
+            tomcat.start();
+
+            // Redirects within a web application
+            doRedirectTest("/welcome-files", 401);
+            doRedirectTest("/welcome-files/", 401);
+
+            doRedirectTest("/jsp", 302);
+            doRedirectTest("/jsp/", 404);
+
+            doRedirectTest("/WEB-INF", 404);
+            doRedirectTest("/WEB-INF/", 404);
+
+            // Redirects between web applications
+            doRedirectTest("/examples", 404);
+            doRedirectTest("/examples/", 404);
+        } finally {
+            HttpURLConnection.setFollowRedirects(originalValue);
+        }
+    }
+
+
+    private void doRedirectTest(String path, int expected) throws IOException {
+        ByteChunk bc = new ByteChunk();
+        int rc = getUrl("http://localhost:" + getPort() + path, bc, null);
+        Assert.assertEquals(expected, rc);
+    }
+
+
     /**
      * Prepare a string to search in messages that contain a timestamp, when it
      * is known that the timestamp was printed between {@code timeA} and

@@ -646,8 +646,7 @@ public static int methodUrl(String path, ByteChunk out, int readTimeout,
             String method) throws IOException {
 
         URL url = new URL(path);
-        HttpURLConnection connection =
-            (HttpURLConnection) url.openConnection();
+        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
         connection.setUseCaches(false);
         connection.setReadTimeout(readTimeout);
         connection.setRequestMethod(method);

@@ -20,6 +20,7 @@
 import org.junit.Test;
 
 import org.apache.catalina.Context;
+import org.apache.catalina.servlets.DefaultServlet;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
 import org.apache.tomcat.util.buf.ByteChunk;
@@ -75,6 +76,8 @@ private void doTestRewrite(String config, String request, String expectedURI) th
         Tomcat.addServlet(ctx, "snoop", new SnoopServlet());
         ctx.addServletMapping("/a/%255A", "snoop");
         ctx.addServletMapping("/c/*", "snoop");
+        Tomcat.addServlet(ctx, "default", new DefaultServlet());
+        ctx.addServletMapping("/", "default");
 
         tomcat.start();
 

@@ -188,6 +188,16 @@
         Ensure that in an embedded Tomcat the logging configuration is
         not lost during garbage collection. (violetagg)
       </fix>
+      <add>
+        Move the functionality that provides redirects for context roots and
+        directories where a trailing <code>/</code> is added from the Mapper to
+        the <code>DefaultServlet</code>. This enables such requests to be
+        processed by any configured Valves and Filters before the redirect is
+        made. This behaviour is configurable via the
+        <code>mapperContextRootRedirectEnabled</code> and
+        <code>mapperDirectoryRedirectEnabled</code> attributes of the Context
+        which may be used to restore the previous behaviour. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">

@@ -360,6 +360,22 @@
         default value of <code>false</code> is used.</p>
       </attribute>
 
+      <attribute name="mapperContextRootRedirectEnabled" required="false">
+        <p>If enabled, requests for a web application context root will be
+        redirected (adding a trailing slash) if necessary by the Mapper rather
+        than the default Servlet. This is more efficient but has the side effect
+        of confirming that the context path exists. If not specified, the
+        default value of <code>false</code> is used.</p>
+      </attribute>
+
+      <attribute name="mapperDirectoryRedirectEnabled" required="false">
+        <p>If enabled, requests for a web application directory will be
+        redirected (adding a trailing slash) if necessary by the Mapper rather
+        than the default Servlet. This is more efficient but has the side effect
+        of confirming that the directory is exists. If not specified, the
+        default value of <code>false</code> is used.</p>
+      </attribute>
+
       <attribute name="override" required="false">
         <p>Set to <code>true</code> to ignore any settings in both the global
         or <a href="host.html">Host</a> default contexts.  By default, settings

@@ -1714,4 +1714,44 @@ Set<String> addServletSecurity(ServletRegistration.Dynamic registration,
      *         false}
      */
     public boolean getValidateClientProvidedNewSessionId();
+
+    /**
+     * If enabled, requests for a web application context root will be
+     * redirected (adding a trailing slash) by the Mapper. This is more
+     * efficient but has the side effect of confirming that the context path is
+     * valid.
+     *
+     * @param mapperContextRootRedirectEnabled Should the redirects be enabled?
+     */
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled);
+
+    /**
+     * Determines if requests for a web application context root will be
+     * redirected (adding a trailing slash) by the Mapper. This is more
+     * efficient but has the side effect of confirming that the context path is
+     * valid.
+     *
+     * @return {@code true} if the Mapper level redirect is enabled for this
+     *         Context.
+     */
+    public boolean getMapperContextRootRedirectEnabled();
+
+    /**
+     * If enabled, requests for a directory will be redirected (adding a
+     * trailing slash) by the Mapper. This is more efficient but has the
+     * side effect of confirming that the directory is valid.
+     *
+     * @param mapperDirectoryRedirectEnabled Should the redirects be enabled?
+     */
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled);
+
+    /**
+     * Determines if requests for a directory will be redirected (adding a
+     * trailing slash) by the Mapper. This is more efficient but has the
+     * side effect of confirming that the directory is valid.
+     *
+     * @return {@code true} if the Mapper level redirect is enabled for this
+     *         Context.
+     */
+    public boolean getMapperDirectoryRedirectEnabled();
 }

@@ -177,6 +177,14 @@
                description="Associated manager."
                type="org.apache.catalina.Manager" />
 
+    <attribute name="mapperContextRootRedirectEnabled"
+               description="Should the Mapper be used for context root redirects"
+               type="boolean" />
+
+    <attribute name="mapperDirectoryRedirectEnabled"
+               description="Should the Mapper be used for directory redirects"
+               type="boolean" />
+
     <attribute name="namingContextListener"
                description="Associated naming context listener."
                type="org.apache.catalina.core.NamingContextListener" />

@@ -816,13 +816,53 @@ public void unbind() {}
 
     private boolean validateClientProvidedNewSessionId = true;
 
+    boolean mapperContextRootRedirectEnabled = false;
+
+    boolean mapperDirectoryRedirectEnabled = false;
+
+
     // ----------------------------------------------------- Context Properties
 
+    @Override
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
+        this.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled;
+    }
+
+
+    /**
+     * {@inheritDoc}
+     * <p>
+     * The default value for this implementation is {@code false}.
+     */
+    @Override
+    public boolean getMapperContextRootRedirectEnabled() {
+        return mapperContextRootRedirectEnabled;
+    }
+
+
+    @Override
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
+        this.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled;
+    }
+
+
+    /**
+     * {@inheritDoc}
+     * <p>
+     * The default value for this implementation is {@code false}.
+     */
+    @Override
+    public boolean getMapperDirectoryRedirectEnabled() {
+        return mapperDirectoryRedirectEnabled;
+    }
+
+
     @Override
     public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
         this.validateClientProvidedNewSessionId = validateClientProvidedNewSessionId;
     }
 
+
     /**
      * {@inheritDoc}
      * <p>
@@ -833,6 +873,7 @@ public boolean getValidateClientProvidedNewSessionId() {
         return validateClientProvidedNewSessionId;
     }
 
+
     @Override
     public void setCookieProcessor(CookieProcessor cookieProcessor) {
         if (cookieProcessor == null) {

@@ -883,7 +883,8 @@ private final void internalMapWrapper(ContextVersion contextVersion,
             }
         }
 
-        if(mappingData.wrapper == null && noServletPath) {
+        if(mappingData.wrapper == null && noServletPath &&
+                mappingData.context.getMapperContextRootRedirectEnabled()) {
             // The path is empty, redirect to "/"
             mappingData.redirectPath.setChars
                 (path.getBuffer(), pathOffset, pathEnd-pathOffset);
@@ -1001,9 +1002,9 @@ private final void internalMapWrapper(ContextVersion contextVersion,
             char[] buf = path.getBuffer();
             if (contextVersion.resources != null && buf[pathEnd -1 ] != '/') {
                 String pathStr = path.toString();
-                WebResource file =
-                        contextVersion.resources.getResource(pathStr);
-                if (file != null && file.isDirectory()) {
+                WebResource file = contextVersion.resources.getResource(pathStr);
+                if (file != null && file.isDirectory() &&
+                        mappingData.context.getMapperDirectoryRedirectEnabled()) {
                     // Note: this mutates the path: do not do any processing
                     // after this (since we set the redirectPath, there
                     // shouldn't be any)
@@ -1020,7 +1021,6 @@ private final void internalMapWrapper(ContextVersion contextVersion,
 
         path.setOffset(pathOffset);
         path.setEnd(pathEnd);
-
     }
 
 

@@ -816,6 +816,17 @@ protected void serveResource(HttpServletRequest request,
         long contentLength = -1L;
 
         if (resource.isDirectory()) {
+            if (!path.endsWith("/")) {
+                StringBuilder location = new StringBuilder(request.getRequestURI());
+                location.append('/');
+                if (request.getQueryString() != null) {
+                    location.append('?');
+                    location.append(request.getQueryString());
+                }
+                response.sendRedirect(response.encodeRedirectURL(location.toString()));
+                return;
+            }
+
             // Skip directory listings if we have been configured to
             // suppress them
             if (!listings) {

@@ -764,9 +764,25 @@ public void setCookieProcessor(CookieProcessor cookieProcessor) { /* NO-OP */ }
 
     @Override
     public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
-        //NO-OP
+        // NO-OP
     }
 
     @Override
     public boolean getValidateClientProvidedNewSessionId() { return false; }
+
+    @Override
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperContextRootRedirectEnabled() { return false; }
+
+    @Override
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperDirectoryRedirectEnabled() { return false; }
 }
\ No newline at end of file

@@ -1234,4 +1234,20 @@ public void setValidateClientProvidedNewSessionId(boolean validateClientProvided
 
     @Override
     public boolean getValidateClientProvidedNewSessionId() { return false; }
+
+    @Override
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperContextRootRedirectEnabled() { return false; }
+
+    @Override
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperDirectoryRedirectEnabled() { return false; }
 }

@@ -18,6 +18,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.util.HashMap;
 import java.util.List;
 
@@ -33,7 +34,10 @@
 import org.apache.catalina.core.StandardContext;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.catalina.valves.RemoteAddrValve;
 import org.apache.tomcat.util.buf.ByteChunk;
+import org.apache.tomcat.util.descriptor.web.SecurityCollection;
+import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
 import org.apache.tomcat.websocket.server.WsContextListener;
 
 /**
@@ -225,6 +229,66 @@ public void testWelcomeFileStrict() throws Exception {
         Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, rc);
     }
 
+    @Test
+    public void testRedirect() throws Exception {
+        // Disable the following of redirects for this test only
+        boolean originalValue = HttpURLConnection.getFollowRedirects();
+        HttpURLConnection.setFollowRedirects(false);
+        try {
+            Tomcat tomcat = getTomcatInstance();
+
+            // Use standard test webapp as ROOT
+            File rootDir = new File("test/webapp");
+            org.apache.catalina.Context root =
+                    tomcat.addWebapp(null, "", rootDir.getAbsolutePath());
+
+            // Add a security constraint
+            SecurityConstraint constraint = new SecurityConstraint();
+            SecurityCollection collection = new SecurityCollection();
+            collection.addPattern("/welcome-files/*");
+            collection.addPattern("/welcome-files");
+            constraint.addCollection(collection);
+            constraint.addAuthRole("foo");
+            root.addConstraint(constraint);
+
+            // Also make examples available
+            File examplesDir = new File(getBuildDirectory(), "webapps/examples");
+            org.apache.catalina.Context examples  = tomcat.addWebapp(
+                    null, "/examples", examplesDir.getAbsolutePath());
+            // Then block access to the examples to test redirection
+            RemoteAddrValve rav = new RemoteAddrValve();
+            rav.setDeny(".*");
+            rav.setDenyStatus(404);
+            examples.getPipeline().addValve(rav);
+
+            tomcat.start();
+
+            // Redirects within a web application
+            doRedirectTest("/welcome-files", 401);
+            doRedirectTest("/welcome-files/", 401);
+
+            doRedirectTest("/jsp", 302);
+            doRedirectTest("/jsp/", 404);
+
+            doRedirectTest("/WEB-INF", 404);
+            doRedirectTest("/WEB-INF/", 404);
+
+            // Redirects between web applications
+            doRedirectTest("/examples", 404);
+            doRedirectTest("/examples/", 404);
+        } finally {
+            HttpURLConnection.setFollowRedirects(originalValue);
+        }
+    }
+
+
+    private void doRedirectTest(String path, int expected) throws IOException {
+        ByteChunk bc = new ByteChunk();
+        int rc = getUrl("http://localhost:" + getPort() + path, bc, null);
+        Assert.assertEquals(expected, rc);
+    }
+
+
     /**
      * Prepare a string to search in messages that contain a timestamp, when it
      * is known that the timestamp was printed between {@code timeA} and

@@ -647,8 +647,7 @@ public static int methodUrl(String path, ByteChunk out, int readTimeout,
             String method) throws IOException {
 
         URL url = new URL(path);
-        HttpURLConnection connection =
-            (HttpURLConnection) url.openConnection();
+        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
         connection.setUseCaches(false);
         connection.setReadTimeout(readTimeout);
         connection.setRequestMethod(method);

@@ -20,6 +20,7 @@
 import org.junit.Test;
 
 import org.apache.catalina.Context;
+import org.apache.catalina.servlets.DefaultServlet;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
 import org.apache.tomcat.util.buf.ByteChunk;
@@ -75,6 +76,8 @@ private void doTestRewrite(String config, String request, String expectedURI) th
         Tomcat.addServlet(ctx, "snoop", new SnoopServlet());
         ctx.addServletMapping("/a/%255A", "snoop");
         ctx.addServletMapping("/c/*", "snoop");
+        Tomcat.addServlet(ctx, "default", new DefaultServlet());
+        ctx.addServletMapping("/", "default");
 
         tomcat.start();
 

@@ -52,6 +52,16 @@
         <code>Mapper</code> used is the <code>Mapper</code> associated with the
         <code>Service</code> for which the listener was created. (markt)
       </scode>
+      <add>
+        Move the functionality that provides redirects for context roots and
+        directories where a trailing <code>/</code> is added from the Mapper to
+        the <code>DefaultServlet</code>. This enables such requests to be
+        processed by any configured Valves and Filters before the redirect is
+        made. This behaviour is configurable via the
+        <code>mapperContextRootRedirectEnabled</code> and
+        <code>mapperDirectoryRedirectEnabled</code> attributes of the Context
+        which may be used to restore the previous behaviour. (markt)
+      </add>
     </changelog>
   </subsection>
 </section>

@@ -360,6 +360,22 @@
         default value of <code>false</code> is used.</p>
       </attribute>
 
+      <attribute name="mapperContextRootRedirectEnabled" required="false">
+        <p>If enabled, requests for a web application context root will be
+        redirected (adding a trailing slash) if necessary by the Mapper rather
+        than the default Servlet. This is more efficient but has the side effect
+        of confirming that the context path exists. If not specified, the
+        default value of <code>false</code> is used.</p>
+      </attribute>
+
+      <attribute name="mapperDirectoryRedirectEnabled" required="false">
+        <p>If enabled, requests for a web application directory will be
+        redirected (adding a trailing slash) if necessary by the Mapper rather
+        than the default Servlet. This is more efficient but has the side effect
+        of confirming that the directory is exists. If not specified, the
+        default value of <code>false</code> is used.</p>
+      </attribute>
+
       <attribute name="override" required="false">
         <p>Set to <code>true</code> to ignore any settings in both the global
         or <a href="host.html">Host</a> default contexts.  By default, settings

@@ -1714,4 +1714,44 @@ Set<String> addServletSecurity(ServletRegistration.Dynamic registration,
      *         false}
      */
     public boolean getValidateClientProvidedNewSessionId();
+
+    /**
+     * If enabled, requests for a web application context root will be
+     * redirected (adding a trailing slash) by the Mapper. This is more
+     * efficient but has the side effect of confirming that the context path is
+     * valid.
+     *
+     * @param mapperContextRootRedirectEnabled Should the redirects be enabled?
+     */
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled);
+
+    /**
+     * Determines if requests for a web application context root will be
+     * redirected (adding a trailing slash) by the Mapper. This is more
+     * efficient but has the side effect of confirming that the context path is
+     * valid.
+     *
+     * @return {@code true} if the Mapper level redirect is enabled for this
+     *         Context.
+     */
+    public boolean getMapperContextRootRedirectEnabled();
+
+    /**
+     * If enabled, requests for a directory will be redirected (adding a
+     * trailing slash) by the Mapper. This is more efficient but has the
+     * side effect of confirming that the directory is valid.
+     *
+     * @param mapperDirectoryRedirectEnabled Should the redirects be enabled?
+     */
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled);
+
+    /**
+     * Determines if requests for a directory will be redirected (adding a
+     * trailing slash) by the Mapper. This is more efficient but has the
+     * side effect of confirming that the directory is valid.
+     *
+     * @return {@code true} if the Mapper level redirect is enabled for this
+     *         Context.
+     */
+    public boolean getMapperDirectoryRedirectEnabled();
 }

@@ -177,6 +177,14 @@
                description="Associated manager."
                type="org.apache.catalina.Manager" />
 
+    <attribute name="mapperContextRootRedirectEnabled"
+               description="Should the Mapper be used for context root redirects"
+               type="boolean" />
+
+    <attribute name="mapperDirectoryRedirectEnabled"
+               description="Should the Mapper be used for directory redirects"
+               type="boolean" />
+
     <attribute name="namingContextListener"
                description="Associated naming context listener."
                type="org.apache.catalina.core.NamingContextListener" />

@@ -816,13 +816,53 @@ public void unbind() {}
 
     private boolean validateClientProvidedNewSessionId = true;
 
+    boolean mapperContextRootRedirectEnabled = false;
+
+    boolean mapperDirectoryRedirectEnabled = false;
+
+
     // ----------------------------------------------------- Context Properties
 
+    @Override
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
+        this.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled;
+    }
+
+
+    /**
+     * {@inheritDoc}
+     * <p>
+     * The default value for this implementation is {@code false}.
+     */
+    @Override
+    public boolean getMapperContextRootRedirectEnabled() {
+        return mapperContextRootRedirectEnabled;
+    }
+
+
+    @Override
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
+        this.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled;
+    }
+
+
+    /**
+     * {@inheritDoc}
+     * <p>
+     * The default value for this implementation is {@code false}.
+     */
+    @Override
+    public boolean getMapperDirectoryRedirectEnabled() {
+        return mapperDirectoryRedirectEnabled;
+    }
+
+
     @Override
     public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
         this.validateClientProvidedNewSessionId = validateClientProvidedNewSessionId;
     }
 
+
     /**
      * {@inheritDoc}
      * <p>
@@ -833,6 +873,7 @@ public boolean getValidateClientProvidedNewSessionId() {
         return validateClientProvidedNewSessionId;
     }
 
+
     @Override
     public void setCookieProcessor(CookieProcessor cookieProcessor) {
         if (cookieProcessor == null) {

@@ -883,7 +883,8 @@ private final void internalMapWrapper(ContextVersion contextVersion,
             }
         }
 
-        if(mappingData.wrapper == null && noServletPath) {
+        if(mappingData.wrapper == null && noServletPath &&
+                mappingData.context.getMapperContextRootRedirectEnabled()) {
             // The path is empty, redirect to "/"
             mappingData.redirectPath.setChars
                 (path.getBuffer(), pathOffset, pathEnd-pathOffset);
@@ -1001,9 +1002,9 @@ private final void internalMapWrapper(ContextVersion contextVersion,
             char[] buf = path.getBuffer();
             if (contextVersion.resources != null && buf[pathEnd -1 ] != '/') {
                 String pathStr = path.toString();
-                WebResource file =
-                        contextVersion.resources.getResource(pathStr);
-                if (file != null && file.isDirectory()) {
+                WebResource file = contextVersion.resources.getResource(pathStr);
+                if (file != null && file.isDirectory() &&
+                        mappingData.context.getMapperDirectoryRedirectEnabled()) {
                     // Note: this mutates the path: do not do any processing
                     // after this (since we set the redirectPath, there
                     // shouldn't be any)
@@ -1020,7 +1021,6 @@ private final void internalMapWrapper(ContextVersion contextVersion,
 
         path.setOffset(pathOffset);
         path.setEnd(pathEnd);
-
     }
 
 

@@ -816,6 +816,17 @@ protected void serveResource(HttpServletRequest request,
         long contentLength = -1L;
 
         if (resource.isDirectory()) {
+            if (!path.endsWith("/")) {
+                StringBuilder location = new StringBuilder(request.getRequestURI());
+                location.append('/');
+                if (request.getQueryString() != null) {
+                    location.append('?');
+                    location.append(request.getQueryString());
+                }
+                response.sendRedirect(response.encodeRedirectURL(location.toString()));
+                return;
+            }
+
             // Skip directory listings if we have been configured to
             // suppress them
             if (!listings) {

@@ -764,9 +764,25 @@ public void setCookieProcessor(CookieProcessor cookieProcessor) { /* NO-OP */ }
 
     @Override
     public void setValidateClientProvidedNewSessionId(boolean validateClientProvidedNewSessionId) {
-        //NO-OP
+        // NO-OP
     }
 
     @Override
     public boolean getValidateClientProvidedNewSessionId() { return false; }
+
+    @Override
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperContextRootRedirectEnabled() { return false; }
+
+    @Override
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperDirectoryRedirectEnabled() { return false; }
 }
\ No newline at end of file

@@ -1234,4 +1234,20 @@ public void setValidateClientProvidedNewSessionId(boolean validateClientProvided
 
     @Override
     public boolean getValidateClientProvidedNewSessionId() { return false; }
+
+    @Override
+    public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperContextRootRedirectEnabled() { return false; }
+
+    @Override
+    public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
+        // NO-OP
+    }
+
+    @Override
+    public boolean getMapperDirectoryRedirectEnabled() { return false; }
 }

@@ -18,6 +18,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.util.HashMap;
 import java.util.List;
 
@@ -33,7 +34,10 @@
 import org.apache.catalina.core.StandardContext;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.catalina.valves.RemoteAddrValve;
 import org.apache.tomcat.util.buf.ByteChunk;
+import org.apache.tomcat.util.descriptor.web.SecurityCollection;
+import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
 import org.apache.tomcat.websocket.server.WsContextListener;
 
 /**
@@ -225,6 +229,66 @@ public void testWelcomeFileStrict() throws Exception {
         Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, rc);
     }
 
+    @Test
+    public void testRedirect() throws Exception {
+        // Disable the following of redirects for this test only
+        boolean originalValue = HttpURLConnection.getFollowRedirects();
+        HttpURLConnection.setFollowRedirects(false);
+        try {
+            Tomcat tomcat = getTomcatInstance();
+
+            // Use standard test webapp as ROOT
+            File rootDir = new File("test/webapp");
+            org.apache.catalina.Context root =
+                    tomcat.addWebapp(null, "", rootDir.getAbsolutePath());
+
+            // Add a security constraint
+            SecurityConstraint constraint = new SecurityConstraint();
+            SecurityCollection collection = new SecurityCollection();
+            collection.addPattern("/welcome-files/*");
+            collection.addPattern("/welcome-files");
+            constraint.addCollection(collection);
+            constraint.addAuthRole("foo");
+            root.addConstraint(constraint);
+
+            // Also make examples available
+            File examplesDir = new File(getBuildDirectory(), "webapps/examples");
+            org.apache.catalina.Context examples  = tomcat.addWebapp(
+                    null, "/examples", examplesDir.getAbsolutePath());
+            // Then block access to the examples to test redirection
+            RemoteAddrValve rav = new RemoteAddrValve();
+            rav.setDeny(".*");
+            rav.setDenyStatus(404);
+            examples.getPipeline().addValve(rav);
+
+            tomcat.start();
+
+            // Redirects within a web application
+            doRedirectTest("/welcome-files", 401);
+            doRedirectTest("/welcome-files/", 401);
+
+            doRedirectTest("/jsp", 302);
+            doRedirectTest("/jsp/", 404);
+
+            doRedirectTest("/WEB-INF", 404);
+            doRedirectTest("/WEB-INF/", 404);
+
+            // Redirects between web applications
+            doRedirectTest("/examples", 404);
+            doRedirectTest("/examples/", 404);
+        } finally {
+            HttpURLConnection.setFollowRedirects(originalValue);
+        }
+    }
+
+
+    private void doRedirectTest(String path, int expected) throws IOException {
+        ByteChunk bc = new ByteChunk();
+        int rc = getUrl("http://localhost:" + getPort() + path, bc, null);
+        Assert.assertEquals(expected, rc);
+    }
+
+
     /**
      * Prepare a string to search in messages that contain a timestamp, when it
      * is known that the timestamp was printed between {@code timeA} and

@@ -647,8 +647,7 @@ public static int methodUrl(String path, ByteChunk out, int readTimeout,
             String method) throws IOException {
 
         URL url = new URL(path);
-        HttpURLConnection connection =
-            (HttpURLConnection) url.openConnection();
+        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
         connection.setUseCaches(false);
         connection.setReadTimeout(readTimeout);
         connection.setRequestMethod(method);

@@ -20,6 +20,7 @@
 import org.junit.Test;
 
 import org.apache.catalina.Context;
+import org.apache.catalina.servlets.DefaultServlet;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.catalina.startup.TomcatBaseTest;
 import org.apache.tomcat.util.buf.ByteChunk;
@@ -75,6 +76,8 @@ private void doTestRewrite(String config, String request, String expectedURI) th
         Tomcat.addServlet(ctx, "snoop", new SnoopServlet());
         ctx.addServletMapping("/a/%255A", "snoop");
         ctx.addServletMapping("/c/*", "snoop");
+        Tomcat.addServlet(ctx, "default", new DefaultServlet());
+        ctx.addServletMapping("/", "default");
 
         tomcat.start();
 

@@ -52,6 +52,16 @@
         <code>Mapper</code> used is the <code>Mapper</code> associated with the
         <code>Service</code> for which the listener was created. (markt)
       </scode>
+      <add>
+        Move the functionality that provides redirects for context roots and
+        directories where a trailing <code>/</code> is added from the Mapper to
+        the <code>DefaultServlet</code>. This enables such requests to be
+        processed by any configured Valves and Filters before the redirect is
+        made. This behaviour is configurable via the
+        <code>mapperContextRootRedirectEnabled</code> and
+        <code>mapperDirectoryRedirectEnabled</code> attributes of the Context
+        which may be used to restore the previous behaviour. (markt)
+      </add>
     </changelog>
   </subsection>
 </section>

@@ -360,6 +360,22 @@
         default value of <code>false</code> is used.</p>
       </attribute>
 
+      <attribute name="mapperContextRootRedirectEnabled" required="false">
+        <p>If enabled, requests for a web application context root will be
+        redirected (adding a trailing slash) if necessary by the Mapper rather
+        than the default Servlet. This is more efficient but has the side effect
+        of confirming that the context path exists. If not specified, the
+        default value of <code>false</code> is used.</p>
+      </attribute>
+
+      <attribute name="mapperDirectoryRedirectEnabled" required="false">
+        <p>If enabled, requests for a web application directory will be
+        redirected (adding a trailing slash) if necessary by the Mapper rather
+        than the default Servlet. This is more efficient but has the side effect
+        of confirming that the directory is exists. If not specified, the
+        default value of <code>false</code> is used.</p>
+      </attribute>
+
       <attribute name="override" required="false">
         <p>Set to <code>true</code> to ignore any settings in both the global
         or <a href="host.html">Host</a> default contexts.  By default, settings