tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 34549] New: - isUserInRole() on non-secure pages
Date Thu, 21 Apr 2005 06:17:11 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=34549>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34549

           Summary: isUserInRole() on non-secure pages
           Product: Tomcat 5
           Version: 5.5.9
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: oleg.timoshenko@xantic.net


Tomcat 5.5.9.
I have two JSPs: /a.jsp and /secure/b.jsp
Deployment descriptor (related parts):
<security-constraint>
  <web-resource-collection>
     <web-resource-name>Protected Area</web-resource-name>
       <url-pattern>/security/*</url-pattern>
       <http-method>DELETE</http-method>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       <http-method>PUT</http-method>
   </web-resource-collection>
   <auth-constraint>
       <role-name>AGENT</role-name>
   </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Web Portal Authentification Realm</realm-name>
</login-config>

<security-role> <role-name>AGENT</role-name> </security-role>
<!-- End of DD -->

In the body of each web page I have the following scriptlet:
<%=request.isUserInRole("AGENT")%>

I access web pages using the following two scenarios:
========================
Scenario 1 (correct behaviour):
Action [Result]
1) /a.jsp  [page a is displayed, scriptlet outputs "false"] - Correct
2) /security/b.jsp [authorization request, I supply credentials of the user 
which is has AGENT Role; page b is displayed, scriptlet outputs "true"] - 
Correct
3) /a.jsp  [same as 1)] - Correct
========================
Scenario 2 (step 2 produces incorrect output):
1) /security/b.jsp [authorization request, I supply credentials of the user 
which has AGENT Role; page b is displayed, scriptlet outputs "true"]
2) /a.jsp [page a is displayed, scriptlet outputs "false", both 
request.getUserPrincipal() and request.getRemoteUser() give "null"] - WRONG
3) /security/b.jsp [page b is displayed, scriptlet outputs "true"] - Correct
4) /a.jsp [page a is displayed, scriptlet outputs "true"] - Correct.

Note: I instruct browsers not to cache pages by including the following 
scriptlet at the beginning of both pages /a.jsp and /security/b.jsp:
<%  response.setHeader("Cache-Control","no-cache");
    response.setHeader("Pragma","no-cache");      %>

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message