geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gianny Damour <>
Subject Potential Security Bug?
Date Fri, 29 Jul 2005 02:25:17 GMT

I have been trying to understand why I was not able to make the Java Pet 
Store Supplier Application to pass a security check and I think that I 
have discovered a potential bug. Prior to log it, I would like to 
confirm that this is not a code issue in PetStore.

The scenario is rather simple:
* the url "/RcvrRequestProcessor" is secured and only the "administator" 
role can access it;
* a FORM based authentication is configured to log in the users;
* the url "/RcvrRequestProcessor" plays the role of a dispatcher servlet 
and forwards to the jsp file "/displayinventory.jsp";
* within the jsp "/displayinventory.jsp" there is the following security 
check " request.isUserInRole("administrator")"; and
* this security check fails.

I think that the security configuration is OK as I can log in and 
successfully access the url "/RcvrRequestProcessor", which requires an 
"administrator" role.

However, isUserInRole fails. This is the Permission which is tested:
( jsp administrator)

Against the following Permissions: (
 ( /RcvrRequestProcessor GET,POST)
 ( PopulateServlet administrator)
 ( RcvrRequestProcessor 

The "jsp" portion of the Permission being tested is the name of the 
servlet being processed and comes from a JettyServletHolder 
automatically registered for the processing of jsp files.

If I add to the web.xml DD the following elements to explicitly register 
the jsp "/displayinventory.jsp", then isUserInRole works as expected:


Indeed, with this explicit mapping, when isUserInRole is executed, the 
Permission to be tested is:
( /displayinventory.jsp 

And the Permissions is: (
 ( /displayinventory.jsp 
 ( PopulateServlet administrator)
 ( RcvrRequestProcessor 
 ( /RcvrRequestProcessor GET,POST)

As a matter of fact, I am not sure if this is a bug in our 
implementation or in PetStore (FYI, I have found another configuration 
issue for an ejb-jar.xml DD).

Any idea?


View raw message