geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gianny Damour <gianny.dam...@optusnet.com.au>
Subject Potential Security Bug?
Date Fri, 29 Jul 2005 02:25:17 GMT
Hi,

I have been trying to understand why I was not able to make the Java Pet 
Store Supplier Application to pass a security check and I think that I 
have discovered a potential bug. Prior to log it, I would like to 
confirm that this is not a code issue in PetStore.

The scenario is rather simple:
* the url "/RcvrRequestProcessor" is secured and only the "administator" 
role can access it;
* a FORM based authentication is configured to log in the users;
* the url "/RcvrRequestProcessor" plays the role of a dispatcher servlet 
and forwards to the jsp file "/displayinventory.jsp";
* within the jsp "/displayinventory.jsp" there is the following security 
check " request.isUserInRole("administrator")"; and
* this security check fails.

I think that the security configuration is OK as I can log in and 
successfully access the url "/RcvrRequestProcessor", which requires an 
"administrator" role.

However, isUserInRole fails. This is the Permission which is tested:
(javax.security.jacc.WebRoleRefPermission jsp administrator)

Against the following Permissions:
java.security.Permissions@93139 (
 (javax.security.jacc.WebResourcePermission /RcvrRequestProcessor GET,POST)
 (javax.security.jacc.WebRoleRefPermission PopulateServlet administrator)
 (javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor 
administrator)
)

The "jsp" portion of the Permission being tested is the name of the 
servlet being processed and comes from a JettyServletHolder 
automatically registered for the processing of jsp files.

If I add to the web.xml DD the following elements to explicitly register 
the jsp "/displayinventory.jsp", then isUserInRole works as expected:
  <servlet>
    <servlet-name>/displayinventory.jsp</servlet-name>
    <jsp-file>/displayinventory.jsp</jsp-file>
  </servlet>

  <servlet-mapping>
    <servlet-name>/displayinventory.jsp</servlet-name>
    <url-pattern>/displayinventory.jsp</url-pattern>
  </servlet-mapping>

Indeed, with this explicit mapping, when isUserInRole is executed, the 
Permission to be tested is:
(javax.security.jacc.WebRoleRefPermission /displayinventory.jsp 
administrator)

And the Permissions is:
java.security.Permissions@18ef578 (
 (javax.security.jacc.WebRoleRefPermission /displayinventory.jsp 
administrator)
 (javax.security.jacc.WebRoleRefPermission PopulateServlet administrator)
 (javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor 
administrator)
 (javax.security.jacc.WebResourcePermission /RcvrRequestProcessor GET,POST)
)

As a matter of fact, I am not sure if this is a bug in our 
implementation or in PetStore (FYI, I have found another configuration 
issue for an ejb-jar.xml DD).

Any idea?

Thanks,
Gianny


Mime
View raw message