Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 40718 invoked from network); 29 Jul 2005 15:53:57 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 29 Jul 2005 15:53:57 -0000 Received: (qmail 37889 invoked by uid 500); 29 Jul 2005 15:53:50 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 37858 invoked by uid 500); 29 Jul 2005 15:53:50 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 37842 invoked by uid 99); 29 Jul 2005 15:53:50 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Jul 2005 08:53:50 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [216.136.173.58] (HELO smtp014.mail.yahoo.com) (216.136.173.58) by apache.org (qpsmtpd/0.29) with SMTP; Fri, 29 Jul 2005 08:53:42 -0700 Received: (qmail 18191 invoked from network); 29 Jul 2005 15:53:47 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:Mime-Version:In-Reply-To:References:Content-Type:Message-Id:Content-Transfer-Encoding:From:Subject:Date:To:X-Mailer; b=uZNi6mHaAOEkSr0VQnWbc2311SSB1hZPpoSZQQByjA5gnWZj3nhXLK5fGVxZBd0PZ5ucHFQQSQ+NuIMif1xoz2szFMHCbMv2DG+Hwi2C1ahgT67FXZPwcboD5nISemZ/0CD/N1oIP6La/lyqzB+XdoG4cQUw58IThfmPpC7CbnY= ; Received: from unknown (HELO ?192.168.1.105?) (david?jencks@66.93.38.137 with plain) by smtp014.mail.yahoo.com with SMTP; 29 Jul 2005 15:53:47 -0000 Mime-Version: 1.0 (Apple Message framework v622) In-Reply-To: <42EA498F.1030401@toolazydogs.com> References: <42E9938D.5060808@optusnet.com.au> <42E999D8.5000301@savoirtech.com> <42EA45BB.4050601@savoirtech.com> <42EA498F.1030401@toolazydogs.com> Content-Type: text/plain; charset=WINDOWS-1252; format=flowed Message-Id: <6ac45a2410176e4609d627e97e433a8c@yahoo.com> Content-Transfer-Encoding: quoted-printable From: David Jencks Subject: Re: Potential Security Bug? Date: Fri, 29 Jul 2005 08:53:46 -0700 To: dev@geronimo.apache.org X-Mailer: Apple Mail (2.622) X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N now that jeff has actually pointed out the relevant part of the spec I=20= agree :-) thanks david jencks On Jul 29, 2005, at 8:21 AM, Alan D. Cabrera wrote: > Seems like a bug to me. Let's file a Jira issue. > > > Regards, > Alan > > Jeff Genender wrote, On 7/29/2005 8:05 AM: > >> >> David Jencks wrote: >> >>> I think our behavior is correct. I don't quite understand what the=20= >>> other possibilities are. FWIW, I don't think we should bend over=20= >>> backward to support jsp pages not mentioned web.xml. >> >> >> DJ, we have to support the behavior (to a degree - its in the JACC=20 >> spec). >> >> Per the JACC spec: >> >> ******************* >> B.19 Calling isUserInRole from JSP not mapped to a Servlet >> >> Checking a WebRoleRefPermission requires the name of a Servlet to=20 >> identify the scope of the reference to role translation. The name of=20= >> a scoping servlet has not been established for an unmapped JSP. >> Resolution=96 For every security role in the web application add a=20 >> WebRoleRefPermission to the corresponding role. The name of all such=20= >> permissions shall be the empty string, and the actions of each=20 >> permission shall be the corresponding role name. When checking a=20 >> WebRoleRefPermission from a JSP not mapped to a servlet, use a=20 >> permission with the empty string as its name and with the argument to=20= >> isUserInRole as its actions. This specification will require that=20 >> containers implement this resolution when the Servlet Specification >> requires that containers test the caller for membership in the role=20= >> named by the argument to isUserInRole when isUserInRole is called=20 >> from an unmapped JSP. >> ******************* >> >> In the JAASJettyRealm.isUserInRole() I see a call to=20 >> JettyServletHolder.getCurrentServletName(). Does=20 >> getCurrentServletName() return an empty String as required by the=20 >> spec when its using an unmapped JSP? I cannot find any code that=20 >> specifically does this. In Tomcat's version of=20 >> TomcatGeronimoRealm.getServletName() I literally coded: >> >> /** >> * JACC v1.0 secion B.19 >> */ >> if (name.equals("jsp")) { >> name =3D ""; >> } >> >> >> Please let me know if I am not seeing something here or am not=20 >> understanding this correctly. >> >> Jeff >> >> >>> >>> thanks >>> david jencks >>> >>> On Jul 28, 2005, at 7:52 PM, Jeff Genender wrote: >>> >>>> Yes...there might be a bug here... >>>> >>>> IIRC, the Jetty JACC code did not test for JACC v1.0 section B.19=20= >>>> which is an explicit test for JSPs under JACC. I am not sure if=20 >>>> this is the case here...but it sounds like it. >>>> >>>> I would like to see what David Jencks or Alan thinks about this. >>>> >>>> Jeff >>>> >>>> Gianny Damour wrote: >>>> >>>>> Hi, >>>>> I have been trying to understand why I was not able to make the=20 >>>>> Java Pet Store Supplier Application to pass a security check and I=20= >>>>> think that I have discovered a potential bug. Prior to log it, I=20= >>>>> would like to confirm that this is not a code issue in PetStore. >>>>> The scenario is rather simple: >>>>> * the url "/RcvrRequestProcessor" is secured and only the=20 >>>>> "administator" role can access it; >>>>> * a FORM based authentication is configured to log in the users; >>>>> * the url "/RcvrRequestProcessor" plays the role of a dispatcher=20= >>>>> servlet and forwards to the jsp file "/displayinventory.jsp"; >>>>> * within the jsp "/displayinventory.jsp" there is the following=20 >>>>> security check " request.isUserInRole("administrator")"; and >>>>> * this security check fails. >>>>> I think that the security configuration is OK as I can log in and=20= >>>>> successfully access the url "/RcvrRequestProcessor", which=20 >>>>> requires an "administrator" role. >>>>> However, isUserInRole fails. This is the Permission which is=20 >>>>> tested: >>>>> (javax.security.jacc.WebRoleRefPermission jsp administrator) >>>>> Against the following Permissions: >>>>> java.security.Permissions@93139 ( >>>>> (javax.security.jacc.WebResourcePermission /RcvrRequestProcessor=20= >>>>> GET,POST) >>>>> (javax.security.jacc.WebRoleRefPermission PopulateServlet=20 >>>>> administrator) >>>>> (javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor=20 >>>>> administrator) >>>>> ) >>>>> The "jsp" portion of the Permission being tested is the name of=20 >>>>> the servlet being processed and comes from a JettyServletHolder=20 >>>>> automatically registered for the processing of jsp files. >>>>> If I add to the web.xml DD the following elements to explicitly=20 >>>>> register the jsp "/displayinventory.jsp", then isUserInRole works=20= >>>>> as expected: >>>>> >>>>> /displayinventory.jsp >>>>> /displayinventory.jsp >>>>> >>>>> >>>>> /displayinventory.jsp >>>>> /displayinventory.jsp >>>>> >>>>> Indeed, with this explicit mapping, when isUserInRole is executed,=20= >>>>> the Permission to be tested is: >>>>> (javax.security.jacc.WebRoleRefPermission /displayinventory.jsp=20 >>>>> administrator) >>>>> And the Permissions is: >>>>> java.security.Permissions@18ef578 ( >>>>> (javax.security.jacc.WebRoleRefPermission /displayinventory.jsp=20 >>>>> administrator) >>>>> (javax.security.jacc.WebRoleRefPermission PopulateServlet=20 >>>>> administrator) >>>>> (javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor=20 >>>>> administrator) >>>>> (javax.security.jacc.WebResourcePermission /RcvrRequestProcessor=20= >>>>> GET,POST) >>>>> ) >>>>> As a matter of fact, I am not sure if this is a bug in our=20 >>>>> implementation or in PetStore (FYI, I have found another=20 >>>>> configuration issue for an ejb-jar.xml DD). >>>>> Any idea? >>>>> Thanks, >>>>> Gianny >>>> >>>> >>>> > >