tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Curwen" <gb_...@gb-im.com>
Subject RE: FORM Login Bypassed
Date Fri, 01 Aug 2003 18:10:20 GMT
Thanks Tim, your first sentence I think answers my question about "does
it indeed only work on client requests".

But that's not quite the situation here...
 
It's still a request for a resource

1.  request /dispatcher?page=fookey
2.  dispatcher translates fookey to /somepage/somewhere.jsp
3.  a request for /somepage/somewhere.jsp is made
4.  somepage/somewhere.jsp has a security constraint not being honoured.
 
And this is because security constraints are only checked for
client-side requests, and not through forwarded or included requests
(serverside). Filters currently act this way (the filter mappings are
not honoured when server-side requests are made).  
 
Do you (or anyone else) think that AUTH mappings should be 'enhanced' as
well, so that forwards/includes will be checked? (like Filters have
changed for 2.4) 




> -----Original Message-----
> From: Tim Funk [mailto:funkman@joedog.org] 
> Sent: Friday, August 01, 2003 11:52 AM
> To: Tomcat Users List
> Subject: Re: FORM Login Bypassed
> 
> 
> Security constraints are imposed on the incoming url.
> 
> Query strings are not used in servlet mapping declarations.
> 
> -Tim
> 
> 
> Ronnie wrote:
> > Hi!
> > 
> > I have this web application using FORM login access but I am having 
> > problem directing the navigation to the defined login page 
> when user 
> > clicks on a secure link.
> > 
> > You see, I am using a DispatcherServlet as a navigation 
> controller to 
> > direct users to the correct page and the URL is coded as:
> > 
> >     <a href="dispatcher?action=admin">admin</a>
> > 
> > Where "dispatcher" is the URL name of the DispatcherServlet. In the 
> > servlet, "admin" is translated to "/computers/admin/index.jsp" from 
> > values coded in web.xml.
> > 
> > Now when I declare the  protected url-pattern as 
> "/computers/admin/*" 
> > as below, when I click on the above link the login page is bypassed 
> > and I can access the admin index page without logging in.
> > 
> > <security-constraint>
> >      <web-resource-collection>
> >         <web-resource-name>Administration 
> functions</web-resource-name>
> > <!--        
> <url-pattern>dispatcher?action=admin</url-pattern>    Does 
> not work! -->
> >         <url-pattern>/computers/admin/*</url-pattern>
> >      </web-resource-collection>
> >      <auth-constraint>
> >         <!-- Anyone with one of the listed roles may access 
> this area -->
> >         <role-name>admin</role-name>
> >      </auth-constraint>
> > 
> >   <!-- HTTPS/SSL-->
> >      <user-data-constraint>
> >         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >      </user-data-constraint>
> >   </security-constraint>
> > 
> > <login-config>
> >      <auth-method>FORM</auth-method>
> >    <form-login-config>
> >     <form-login-page>dispatcher?action=adminLogin</form-login-page>
> >    
> <form-error-page>dispatcher?action=adminLoginFail</form-error-page>
> >   </form-login-config>
> > </login-config>
> > 
> > To overcome this I had to hardcode the link in my webpage as: <a 
> > href="/Computers/computers/admin/index.jsp">admin</a>
> > 
> > I wish to keep my navigation based on logical names. Is there a 
> > work-around or solution to this problem?
> > 
> > 
> > 
> > Regards,
> > Ronnie Choo
> > Singapore
> > 
> > 
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 


Mime
View raw message