[ http://issues.apache.org/jira/browse/BEEHIVE-635?page=all ]
Rich Feit resolved BEEHIVE-635:
-------------------------------
Resolution: Fixed
Assign To: Alejandro Ramirez (was: Rich Feit)
I meant to resolve this a long time ago -- these changes are in the Tomcat 5.5
ServletContainerAdapter that was contributed by Abdessattar (thanks again!).
Alex, to repro this, you can just add the following security constraint to
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure PageFlow - all</web-resource-name>
<url-pattern>/security/secure.jsp</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Then, follow the instructions at
$BEEHIVE_HOME/netui/test/webapps/tomcat/README.txt for integrating with Tomcat
5.5, deploy the app, and hit http://localhost:8080/<your webapp
name>/security/secure.jsp. If the bug is fixed, then the request will be
switched to https. If not, it'll remain in http.
> Tomcat PageflowValve does not check for security-constraints defined in
> web.xml
> -------------------------------------------------------------------------------
>
> Key: BEEHIVE-635
> URL: http://issues.apache.org/jira/browse/BEEHIVE-635
> Project: Beehive
> Type: Bug
> Components: NetUI
> Versions: V1Alpha, v1m1, V1Beta
> Environment: Using beehive latest from SVN and Tomcat 5.5.7
> Reporter: Abdessattar Sassi
> Assignee: Alejandro Ramirez
> Fix For: 1.1
> Attachments: patch.txt
>
> The Tomcat implementation of the Pipeline for a Context is such that only one
> Valve which is also an Authenticator valve is added to the Pipeline. The
> standard Tomcat Authenticator valves (e.g. BasicAuthenticator) check for and
> honor all the security constraints specified in the webapp web.xml descriptor.
> The PageflowValve implementation part of tomcat-server under netui is an
> Authenticaor valve as it extends BasicAuthenticator, which means that it is
> mutually exclusive with the regular Tomcat authenticator valves (only one can
> be in the pipeline). It does not however keep the features that were part of
> the AuthenticatorBase and the BasicAuthentiocator invoke() method
> implementation. Such issue results for example in the user-data-constraint
> elements being completely ignored, and therefore pages who are supposed to be
> served only with SSL are always served without SSL.
> Following is an example of the code from the regular Tomcat authenticators
> that is missing from beehive adapter (please note that the code is from
> Tomcat 5.5.7 with which by the way beehive does not compile, but should give
> you a good idea of the missing features...):
> // Enforce any user data constraint for this security constraint
> if (log.isDebugEnabled()) {
> log.debug(" Calling hasUserDataPermission()");
> }
> Realm realm = this.context.getRealm();
> // Is this request URI subject to a security constraint?
> SecurityConstraint [] constraints
> = realm.findSecurityConstraints(request, this.context);
> if (!realm.hasUserDataPermission(request, response,
> constraints)) {
> if (log.isDebugEnabled()) {
> log.debug(" Failed hasUserDataPermission() test");
> }
> /*
> * ASSERT: Authenticator already set the appropriate
> * HTTP status code, so we do not have to do anything special
> */
> return;
> }
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
