[ http://issues.apache.org/jira/browse/BEEHIVE-635?page=all ]
Rich Feit reassigned BEEHIVE-635:
---------------------------------
Assign To: Rich Feit
> Tomcat PageflowValve does not check for security-constraints defined in
> web.xml
> -------------------------------------------------------------------------------
>
> Key: BEEHIVE-635
> URL: http://issues.apache.org/jira/browse/BEEHIVE-635
> Project: Beehive
> Type: Bug
> Components: NetUI
> Versions: V1Alpha, v1m1, V1Beta
> Environment: Using beehive latest from SVN and Tomcat 5.5.7
> Reporter: Abdessattar Sassi
> Assignee: Rich Feit
> Fix For: V1
> Attachments: patch.txt
>
> The Tomcat implementation of the Pipeline for a Context is such that only one
> Valve which is also an Authenticator valve is added to the Pipeline. The
> standard Tomcat Authenticator valves (e.g. BasicAuthenticator) check for and
> honor all the security constraints specified in the webapp web.xml descriptor.
> The PageflowValve implementation part of tomcat-server under netui is an
> Authenticaor valve as it extends BasicAuthenticator, which means that it is
> mutually exclusive with the regular Tomcat authenticator valves (only one can
> be in the pipeline). It does not however keep the features that were part of
> the AuthenticatorBase and the BasicAuthentiocator invoke() method
> implementation. Such issue results for example in the user-data-constraint
> elements being completely ignored, and therefore pages who are supposed to be
> served only with SSL are always served without SSL.
> Following is an example of the code from the regular Tomcat authenticators
> that is missing from beehive adapter (please note that the code is from
> Tomcat 5.5.7 with which by the way beehive does not compile, but should give
> you a good idea of the missing features...):
> // Enforce any user data constraint for this security constraint
> if (log.isDebugEnabled()) {
> log.debug(" Calling hasUserDataPermission()");
> }
> Realm realm = this.context.getRealm();
> // Is this request URI subject to a security constraint?
> SecurityConstraint [] constraints
> = realm.findSecurityConstraints(request, this.context);
> if (!realm.hasUserDataPermission(request, response,
> constraints)) {
> if (log.isDebugEnabled()) {
> log.debug(" Failed hasUserDataPermission() test");
> }
> /*
> * ASSERT: Authenticator already set the appropriate
> * HTTP status code, so we do not have to do anything special
> */
> return;
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
