geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-1440) JAASJettyRealm not shared enough
Date Mon, 09 Jan 2006 14:31:01 GMT
    [ http://issues.apache.org/jira/browse/GERONIMO-1440?page=comments#action_12362207 ] 

Aaron Mulder commented on GERONIMO-1440:
----------------------------------------

By "external realm" do you mean web-app/login-config/realm-name?  If so, I disagree with attaching
any significance to this at all.  The definition of that element is "indicates the realm name
to be used in HTTP BASIC authentication".  It is unnecessary (and has no defined purpose)
for cert or form-based login.

What if we have important app A and hostile app B.  Hostile app B deploys a hostile security
realm (e.g. records username and password for every login attempt) with the same realm-name
as important app A uses.  Now if I understand your patch correctly, if app A deploys first,
both apps use the proper security realm which makes B useless.  But if B deploys first, it
"wins" the Jetty realm and everyone's username and password is recorded by the hostile security
realm when they go to log in to app A?

I'll grant you we're not yet ready to be super defensive about applications running in the
same server, but I think every app ought to have a completely distinct Jetty security realm,
and if two of those happen to point to the same Geronimo security realm under the covers (due
to the security-realm-name in the geronimo-web.xml), fine.


> JAASJettyRealm not shared enough
> --------------------------------
>
>          Key: GERONIMO-1440
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1440
>      Project: Geronimo
>         Type: Bug
>   Components: web
>     Versions: 1.0
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: 1.1

>
> There are a bunch of problems that lead back to missing JAASJettyRealms or multiple "equal"
JAASJettyRealms.
> A JAASJettyRealm has an (external) realm name from the web.xml and an internal geronimo
realm name and a map of user name to principal (which includes the Subject for that user)
for logged in users.  If you supply a (internal) security realm name, a JAASJettyRealm is
registered with the HTTPContext and used for authentication, reauthentication, etc.  If you
don't supply a security realm name, but there is a realm name, then jetty tries to get the
realm from the JettyServer.  Here are some problems:
> 1. we never register our JAASJettyRealms with JettyServer, so if you don't supply a security
realm name you eventually get NPEs if the app calls isUserInRole etc etc.
> lets assume we fix (1)
> 2. If you have 2 apps  A and B deployed with the same external realm name and internal
realm name, only the last to start is registered with  the JettyServer.  Any other app C using
the same realm name but no internal realm name will get the second realm.  If we did a x-context
dispatch from the first app A to C C will be using the realm from B.
> I think that there should only be one JAASJettyRealm per external realm name, based on
servlet spec 2.4 section 12.6.  If you disagree, please say why :-).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message