geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Genender (JIRA)" <>
Subject [jira] Commented: (GERONIMO-2695) Requests using Non-secure HTTP connections cannot access unsecured web resources
Date Fri, 05 Jan 2007 04:02:28 GMT


Jeff Genender commented on GERONIMO-2695:

"On each HTTP request to the server, a call is made to TomcatGeronimoRealm.hasResourcePermission(...)
to check if the resource is authorized for the user. I'm pretty sure the issue has to do with
the code fragment that I pointed out originally."

That wasn't my reference...since I indeed wrote that code.  I was referring to the deployment
code, which really is the issue here.  You pointed that out via not needing the auth-constraint.
 That is a deployment problem, not a realm issue.

> Requests using Non-secure HTTP connections cannot access unsecured web resources
> --------------------------------------------------------------------------------
>                 Key: GERONIMO-2695
>                 URL:
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security, Tomcat, web
>    Affects Versions: 1.1.1
>         Environment: Geronimo running on Windows XP
>            Reporter: Aman Nanner
>         Assigned To: Jeff Genender
>         Attachments: test.war
> Consider the following fragment of my web.xml in my WAR:
> ----
>    <security-constraint>
>       <display-name>Unsecure Constraint</display-name>
>       <web-resource-collection>
>          <web-resource-name>Unsecure Resource Collection</web-resource-name>
>          <url-pattern>/common/error/*</url-pattern>
>          <url-pattern>/common/includes/*</url-pattern>
>          <url-pattern>/common/Message.jsp</url-pattern>
>          <url-pattern>/common/resources/*</url-pattern>
>          <url-pattern>/common/security/login.jsp</url-pattern>
>          <url-pattern>/common/security/logout.jsp</url-pattern>
>          <url-pattern>/servlet/branding/*</url-pattern>
>          <url-pattern>/servlet/image/*</url-pattern>
>          <url-pattern>/servlet/login/*</url-pattern>
>          <url-pattern>/servlet/definecookie</url-pattern>
>          <http-method>GET</http-method>
>          <http-method>POST</http-method>
>       </web-resource-collection>
>       <user-data-constraint>
>          <transport-guarantee>NONE</transport-guarantee>
>       </user-data-constraint>
>    </security-constraint>
>    <security-constraint>
>       <display-name>Secure Constraint</display-name>
>       <web-resource-collection>
>          <web-resource-name>Secure Resource Collection</web-resource-name>
>          <url-pattern>/</url-pattern>
>          <http-method>GET</http-method>
>          <http-method>POST</http-method>
>       </web-resource-collection>
>       <auth-constraint>
>          <role-name>MXSYSTEM</role-name>
>       </auth-constraint>
>       <user-data-constraint>
>          <transport-guarantee>NONE</transport-guarantee>
>       </user-data-constraint>
>    </security-constraint>
>    <login-config>
>       <auth-method>FORM</auth-method>
>       <form-login-config>
>          <form-login-page>/common/security/PreLogin.jsp</form-login-page>
>          <form-error-page>/common/security/error.jsp</form-error-page>
>       </form-login-config>
>    </login-config>
>    <security-role>
>       <description>Application System Role</description>
>       <role-name>MXSYSTEM</role-name>
>    </security-role>
> ----
> There are two sets of web resources defined: a secured web resource collection, and an
unsecured web resource collection.  The secured web collection is by default everything that
matches the "/" pattern.  In the unsecured web collection, we use specific URL patterns so
that certain resources can be accessed prior to login.  Note that there is no security role
defined for the unsecured web resource collection, as these resources should be available
to every request.
> The problem is that access is denied to to the unsecured web resource collection, even
though they are defined as unsecured.  A blank HTML page is returned instead of the appropriate
resource.  After some debugging, I discovered what seems to be a bug in the org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm
class.  Consider the following code fragment in the hasResourceCollection(...) method:
> ----
>         // Which user principal have we already authenticated?
>         Principal principal = request.getUserPrincipal();
>         //If we have no principal, then we should use the default.
>         if (principal == null) {
>             return request.isSecure();
>         } else {
>             Subject currentCaller = ((JAASTomcatPrincipal) principal).getSubject();
>             ContextManager.setCallers(currentCaller, currentCaller);
>         }
> ----
> When I make an HTTP connection to an unsecure web resource, I am unauthenticated before
I can login.  Thus, the principal in this case is null.  In the case of a null principal,
the code seems to base its authorization on whether or not the request is secure!  This seems
very strange to me, as it should be able to accept normal, unauthenticated, HTTP connections
to unsecure web resources.
> I tried accessing the unsecured web resources over HTTPS, and sure enough, I was able
to access them because of the secure connection.  I'm not sure why this works only over
should work in both cases.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:


View raw message