beehive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rich Feit (JIRA)" <>
Subject [jira] Resolved: (BEEHIVE-635) Tomcat PageflowValve does not check for security-constraints defined in web.xml
Date Thu, 08 Dec 2005 17:17:09 GMT
     [ ]
Rich Feit resolved BEEHIVE-635:

    Resolution: Fixed
     Assign To: Alejandro Ramirez  (was: Rich Feit)

I meant to resolve this a long time ago -- these changes are in the Tomcat 5.5 ServletContainerAdapter
that was contributed by Abdessattar (thanks again!).

Alex, to repro this, you can just add the following security constraint to web.xml:

        <web-resource-name>Secure PageFlow - all</web-resource-name>

Then, follow the instructions at $BEEHIVE_HOME/netui/test/webapps/tomcat/README.txt for integrating
with Tomcat 5.5, deploy the app, and hit http://localhost:8080/<your webapp name>/security/secure.jsp.
 If the bug is fixed, then the request will be switched to https.  If not, it'll remain in

> Tomcat PageflowValve does not check for security-constraints defined in web.xml
> -------------------------------------------------------------------------------
>          Key: BEEHIVE-635
>          URL:
>      Project: Beehive
>         Type: Bug
>   Components: NetUI
>     Versions: V1Alpha, v1m1, V1Beta
>  Environment: Using beehive latest from SVN and Tomcat 5.5.7
>     Reporter: Abdessattar Sassi
>     Assignee: Alejandro Ramirez
>      Fix For: 1.1
>  Attachments: patch.txt
> The Tomcat implementation of the Pipeline for a Context is such that only one Valve which
is also an Authenticator valve is added to the Pipeline. The standard Tomcat Authenticator
valves (e.g. BasicAuthenticator) check for and honor all the security constraints specified
in the webapp web.xml descriptor.
> The PageflowValve implementation part of tomcat-server under netui is an Authenticaor
valve as it extends BasicAuthenticator, which means that it is mutually exclusive with the
regular Tomcat authenticator valves (only one can be in the pipeline). It does not however
keep the features that were part of the AuthenticatorBase and the BasicAuthentiocator invoke()
method implementation. Such issue results for example in the user-data-constraint elements
being completely ignored, and therefore pages who are supposed to be served only with SSL
are always served without SSL.
> Following is an example of the code from the regular Tomcat authenticators that is missing
from beehive adapter (please note that the code is from Tomcat 5.5.7 with which by the way
beehive does not compile, but should give you a good idea of the missing features...):
>         // Enforce any user data constraint for this security constraint
>         if (log.isDebugEnabled()) {
>             log.debug(" Calling hasUserDataPermission()");
>         }
>         Realm realm = this.context.getRealm();
>         // Is this request URI subject to a security constraint?
>         SecurityConstraint [] constraints
>             = realm.findSecurityConstraints(request, this.context);
>         if (!realm.hasUserDataPermission(request, response,
>                                          constraints)) {
>             if (log.isDebugEnabled()) {
>                 log.debug(" Failed hasUserDataPermission() test");
>             }
>             /*
>              * ASSERT: Authenticator already set the appropriate
>              * HTTP status code, so we do not have to do anything special
>              */
>             return;
>         }

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message