Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@geronimo.apache.org
Message-ID: <447505491.1136817061349.JavaMail.jira@ajax.apache.org>
Date: Mon, 9 Jan 2006 15:31:01 +0100 (CET)
From: "Aaron Mulder (JIRA)" <dev@geronimo.apache.org>
To: dev@geronimo.apache.org
Subject: [jira] Commented: (GERONIMO-1440) JAASJettyRealm not shared enough
In-Reply-To: <2144123344.1136801852955.JavaMail.jira@ajax.apache.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

    [ http://issues.apache.org/jira/browse/GERONIMO-1440?page=comments#action_12362207 ] 

Aaron Mulder commented on GERONIMO-1440:
----------------------------------------

By "external realm" do you mean web-app/login-config/realm-name?  If so, I disagree with attaching any significance to this at all.  The definition of that element is "indicates the realm name to be used in HTTP BASIC authentication".  It is unnecessary (and has no defined purpose) for cert or form-based login.

What if we have important app A and hostile app B.  Hostile app B deploys a hostile security realm (e.g. records username and password for every login attempt) with the same realm-name as important app A uses.  Now if I understand your patch correctly, if app A deploys first, both apps use the proper security realm which makes B useless.  But if B deploys first, it "wins" the Jetty realm and everyone's username and password is recorded by the hostile security realm when they go to log in to app A?

I'll grant you we're not yet ready to be super defensive about applications running in the same server, but I think every app ought to have a completely distinct Jetty security realm, and if two of those happen to point to the same Geronimo security realm under the covers (due to the security-realm-name in the geronimo-web.xml), fine.


> JAASJettyRealm not shared enough
> --------------------------------
>
>          Key: GERONIMO-1440
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1440
>      Project: Geronimo
>         Type: Bug
>   Components: web
>     Versions: 1.0
>     Reporter: David Jencks
>     Assignee: David Jencks
>      Fix For: 1.1

>
> There are a bunch of problems that lead back to missing JAASJettyRealms or multiple "equal" JAASJettyRealms.
> A JAASJettyRealm has an (external) realm name from the web.xml and an internal geronimo realm name and a map of user name to principal (which includes the Subject for that user) for logged in users.  If you supply a (internal) security realm name, a JAASJettyRealm is registered with the HTTPContext and used for authentication, reauthentication, etc.  If you don't supply a security realm name, but there is a realm name, then jetty tries to get the realm from the JettyServer.  Here are some problems:
> 1. we never register our JAASJettyRealms with JettyServer, so if you don't supply a security realm name you eventually get NPEs if the app calls isUserInRole etc etc.
> lets assume we fix (1)
> 2. If you have 2 apps  A and B deployed with the same external realm name and internal realm name, only the last to start is registered with  the JettyServer.  Any other app C using the same realm name but no internal realm name will get the second realm.  If we did a x-context dispatch from the first app A to C C will be using the realm from B.
> I think that there should only be one JAASJettyRealm per external realm name, based on servlet spec 2.4 section 12.6.  If you disagree, please say why :-).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira