Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 34263 invoked from network); 29 Jul 2005 11:11:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 29 Jul 2005 11:11:10 -0000 Received: (qmail 84596 invoked by uid 500); 29 Jul 2005 05:44:30 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 83884 invoked by uid 500); 29 Jul 2005 05:44:28 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 83871 invoked by uid 99); 29 Jul 2005 05:44:27 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Jul 2005 22:44:27 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [66.163.169.223] (HELO smtp104.mail.sc5.yahoo.com) (66.163.169.223) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 28 Jul 2005 22:44:19 -0700 Received: (qmail 28142 invoked from network); 29 Jul 2005 05:44:25 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:Mime-Version:In-Reply-To:References:Content-Type:Message-Id:Content-Transfer-Encoding:From:Subject:Date:To:X-Mailer; b=lA/Yan4Oy9OIgo74v1/uK0+DcDciu5qCiqU8zzvn6rVGI6KuZMOFpnRSJcK8BRcCCzhn6Y0B/5rUn96ePY8QbFsKv2qsz5ctWXJgIeVHyPLtKl0UvAEwOtzMbQAGT2E0xVZse4LImx673aMGSokHaLhFoaoLhYgU+HLBC9Hcomk= ; Received: from unknown (HELO ?192.168.1.105?) (david?jencks@66.93.38.137 with plain) by smtp104.mail.sc5.yahoo.com with SMTP; 29 Jul 2005 05:44:24 -0000 Mime-Version: 1.0 (Apple Message framework v622) In-Reply-To: <42E999D8.5000301@savoirtech.com> References: <42E9938D.5060808@optusnet.com.au> <42E999D8.5000301@savoirtech.com> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: David Jencks Subject: Re: Potential Security Bug? Date: Thu, 28 Jul 2005 22:44:22 -0700 To: dev@geronimo.apache.org X-Mailer: Apple Mail (2.622) X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N I think our behavior is correct. I don't quite understand what the other possibilities are. FWIW, I don't think we should bend over backward to support jsp pages not mentioned web.xml. thanks david jencks On Jul 28, 2005, at 7:52 PM, Jeff Genender wrote: > Yes...there might be a bug here... > > IIRC, the Jetty JACC code did not test for JACC v1.0 section B.19 > which is an explicit test for JSPs under JACC. I am not sure if this > is the case here...but it sounds like it. > > I would like to see what David Jencks or Alan thinks about this. > > Jeff > > Gianny Damour wrote: >> Hi, >> I have been trying to understand why I was not able to make the Java >> Pet Store Supplier Application to pass a security check and I think >> that I have discovered a potential bug. Prior to log it, I would like >> to confirm that this is not a code issue in PetStore. >> The scenario is rather simple: >> * the url "/RcvrRequestProcessor" is secured and only the >> "administator" role can access it; >> * a FORM based authentication is configured to log in the users; >> * the url "/RcvrRequestProcessor" plays the role of a dispatcher >> servlet and forwards to the jsp file "/displayinventory.jsp"; >> * within the jsp "/displayinventory.jsp" there is the following >> security check " request.isUserInRole("administrator")"; and >> * this security check fails. >> I think that the security configuration is OK as I can log in and >> successfully access the url "/RcvrRequestProcessor", which requires >> an "administrator" role. >> However, isUserInRole fails. This is the Permission which is tested: >> (javax.security.jacc.WebRoleRefPermission jsp administrator) >> Against the following Permissions: >> java.security.Permissions@93139 ( >> (javax.security.jacc.WebResourcePermission /RcvrRequestProcessor >> GET,POST) >> (javax.security.jacc.WebRoleRefPermission PopulateServlet >> administrator) >> (javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor >> administrator) >> ) >> The "jsp" portion of the Permission being tested is the name of the >> servlet being processed and comes from a JettyServletHolder >> automatically registered for the processing of jsp files. >> If I add to the web.xml DD the following elements to explicitly >> register the jsp "/displayinventory.jsp", then isUserInRole works as >> expected: >> >> /displayinventory.jsp >> /displayinventory.jsp >> >> >> /displayinventory.jsp >> /displayinventory.jsp >> >> Indeed, with this explicit mapping, when isUserInRole is executed, >> the Permission to be tested is: >> (javax.security.jacc.WebRoleRefPermission /displayinventory.jsp >> administrator) >> And the Permissions is: >> java.security.Permissions@18ef578 ( >> (javax.security.jacc.WebRoleRefPermission /displayinventory.jsp >> administrator) >> (javax.security.jacc.WebRoleRefPermission PopulateServlet >> administrator) >> (javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor >> administrator) >> (javax.security.jacc.WebResourcePermission /RcvrRequestProcessor >> GET,POST) >> ) >> As a matter of fact, I am not sure if this is a bug in our >> implementation or in PetStore (FYI, I have found another >> configuration issue for an ejb-jar.xml DD). >> Any idea? >> Thanks, >> Gianny >