geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Potential Security Bug?
Date Fri, 29 Jul 2005 05:44:22 GMT
I think our behavior is correct.  I don't quite understand what the 
other possibilities are.  FWIW, I don't think we should   bend over 
backward to support jsp pages not mentioned web.xml.

thanks
david jencks

On Jul 28, 2005, at 7:52 PM, Jeff Genender wrote:

> Yes...there might be a bug here...
>
> IIRC, the Jetty JACC code did not test for JACC v1.0 section B.19 
> which is an explicit test for JSPs under JACC.  I am not sure if this 
> is the case here...but it sounds like it.
>
> I would like to see what David Jencks or Alan thinks about this.
>
> Jeff
>
> Gianny Damour wrote:
>> Hi,
>> I have been trying to understand why I was not able to make the Java 
>> Pet Store Supplier Application to pass a security check and I think 
>> that I have discovered a potential bug. Prior to log it, I would like 
>> to confirm that this is not a code issue in PetStore.
>> The scenario is rather simple:
>> * the url "/RcvrRequestProcessor" is secured and only the 
>> "administator" role can access it;
>> * a FORM based authentication is configured to log in the users;
>> * the url "/RcvrRequestProcessor" plays the role of a dispatcher 
>> servlet and forwards to the jsp file "/displayinventory.jsp";
>> * within the jsp "/displayinventory.jsp" there is the following 
>> security check " request.isUserInRole("administrator")"; and
>> * this security check fails.
>> I think that the security configuration is OK as I can log in and 
>> successfully access the url "/RcvrRequestProcessor", which requires 
>> an "administrator" role.
>> However, isUserInRole fails. This is the Permission which is tested:
>> (javax.security.jacc.WebRoleRefPermission jsp administrator)
>> Against the following Permissions:
>> java.security.Permissions@93139 (
>> (javax.security.jacc.WebResourcePermission /RcvrRequestProcessor 
>> GET,POST)
>> (javax.security.jacc.WebRoleRefPermission PopulateServlet 
>> administrator)
>> (javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor 
>> administrator)
>> )
>> The "jsp" portion of the Permission being tested is the name of the 
>> servlet being processed and comes from a JettyServletHolder 
>> automatically registered for the processing of jsp files.
>> If I add to the web.xml DD the following elements to explicitly 
>> register the jsp "/displayinventory.jsp", then isUserInRole works as 
>> expected:
>>  <servlet>
>>    <servlet-name>/displayinventory.jsp</servlet-name>
>>    <jsp-file>/displayinventory.jsp</jsp-file>
>>  </servlet>
>>  <servlet-mapping>
>>    <servlet-name>/displayinventory.jsp</servlet-name>
>>    <url-pattern>/displayinventory.jsp</url-pattern>
>>  </servlet-mapping>
>> Indeed, with this explicit mapping, when isUserInRole is executed, 
>> the Permission to be tested is:
>> (javax.security.jacc.WebRoleRefPermission /displayinventory.jsp 
>> administrator)
>> And the Permissions is:
>> java.security.Permissions@18ef578 (
>> (javax.security.jacc.WebRoleRefPermission /displayinventory.jsp 
>> administrator)
>> (javax.security.jacc.WebRoleRefPermission PopulateServlet 
>> administrator)
>> (javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor 
>> administrator)
>> (javax.security.jacc.WebResourcePermission /RcvrRequestProcessor 
>> GET,POST)
>> )
>> As a matter of fact, I am not sure if this is a bug in our 
>> implementation or in PetStore (FYI, I have found another 
>> configuration issue for an ejb-jar.xml DD).
>> Any idea?
>> Thanks,
>> Gianny
>


Mime
View raw message