tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Luehe <Jan.Lu...@Sun.COM>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm RealmBase.java
Date Wed, 02 Mar 2005 20:51:40 GMT
Bill/Remy,

Bill Barker wrote:
> ----- Original Message -----
> From: "Remy Maucherat" <remm@apache.org>
> To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
> Sent: Wednesday, March 02, 2005 11:56 AM
> Subject: Re: cvs commit:
> jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm
> RealmBase.java
> 
> 
> 
>>luehe@apache.org wrote:
>>
>>>luehe       2005/03/02 11:27:11
>>>
>>>  Modified:    catalina/src/share/org/apache/catalina/realm
> 
> RealmBase.java
> 
>>>  Log:
>>>  Consider the case where original request was mapped to welcome page.
>>>  In this case, the mapped welcome page (and not the original request
>>>  URI!) needs to be the target of hasResourcePermission().
>>>
>>>  This is consistent with the change that had been made in
> 
> findSecurityConstraints().
> 
>>>  BTW, shouldn't request.getDecodedRequestURI() return the mapped
>>>  welcome page (instead of the original URI) in this case?
>>>  In other words, shouldn't the path passed to
>>>    mappingData.requestPath.setString(pathStr)
>>>  in Mapper.java be propagated to the request object associatd with the
>>>  mappingData?
>>
>>I consider welcome files to be internal forwards (since it is allowed to
>>handle them this way). As a result, they shouldn't be matched by
>>secrurity constraints. Only the original request path should be the used
>>(so here it's getDecodedRequestURI - as sent by the client).
>>
> 
> 
> I agree with Remy.  It's an internal Tomcat implementation detail that
> welcome-files aren't handled via DefaultServlet doing:
>   RequestDispatcher rd = request.getRequestDispatcher(welcome[i]);
>   rd.forward(request, response);
> Since this is explicitly allowed by the spec, nobody can expect that a
> security-constraint mapped only to the welcome-file will be applied.
> However, this is probably another thing that should be better specified in
> the 2.5 spec.


But SRV.9.10 ("Welcome Files") already has this:

  The container may send the request to the welcome resource with
  a forward, a redirect, or a container specific mechanism
  **that is indistinguishable from a direct request**.

The latter to me implies that any sec constraints must be applied
to the mapped welcome page (if any).

Also, see the attached diffs, in particular:

-        String uri = request.getDecodedRequestURI();
-        String contextPath = hreq.getContextPath();
-        if (contextPath.length() > 0)
-            uri = uri.substring(contextPath.length());
+        String uri = request.getRequestPathMB().toString();

in findSecurityConstraints().

When accessing <host>:<port>:/somecontext/,
which has welcome page /somecontext/index.jsp,

request.getDecodedRequestURI() returns "/somecontext/",
whereas request.getRequestPathMB().toString() returns
"/index.jsp" (as set by the mapper), so there already is a precedent
in findSecurityConstraints() to match sec constraints against
welcome page, which I think makes sense.

Otherwise, the following sec constraint:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>*.jsp</url-pattern>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>tomcat</role-name>
    </auth-constraint>
  </security-constraint>

which is supposed to protect all JSP pages, would be bypassed if a
request was mapped to index.jsp welcome page.


Jan



> 
>>Rémy
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> 
> 
> 
> 
> This message is intended only for the use of the person(s) listed above as the intended
recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL.  If you are
not an intended recipient, you may not read, copy, or distribute this message or any attachment.
If you received this communication in error, please notify us immediately by e-mail and then
delete all copies of this message and any attachments.
> 
> In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet
is not secure. Do not send confidential or sensitive information, such as social security
numbers, account numbers, personal identification numbers and passwords, to us via ordinary
(unencrypted) e-mail.
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Mime
View raw message