Potential Security Bug?

Thu, 28 Jul 2005 19:22:36 -0700 

Hi,
I have been trying to understand why I was not able to make the Java Pet Store Supplier Application to pass a security check and I think that I have discovered a potential bug. Prior to log it, I would like to confirm that this is not a code issue in PetStore. 

The scenario is rather simple:

* the url "/RcvrRequestProcessor" is secured and only the "administator" 
role can access it;

* a FORM based authentication is configured to log in the users;

* the url "/RcvrRequestProcessor" plays the role of a dispatcher servlet 
and forwards to the jsp file "/displayinventory.jsp";
* within the jsp "/displayinventory.jsp" there is the following security 
check " request.isUserInRole("administrator")"; and

* this security check fails.


I think that the security configuration is OK as I can log in and 
successfully access the url "/RcvrRequestProcessor", which requires an 
"administrator" role.


However, isUserInRole fails. This is the Permission which is tested:
(javax.security.jacc.WebRoleRefPermission jsp administrator)

Against the following Permissions:
[EMAIL PROTECTED] (
(javax.security.jacc.WebResourcePermission /RcvrRequestProcessor GET,POST)
(javax.security.jacc.WebRoleRefPermission PopulateServlet administrator)

(javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor 
administrator)

)


The "jsp" portion of the Permission being tested is the name of the 
servlet being processed and comes from a JettyServletHolder 
automatically registered for the processing of jsp files.



If I add to the web.xml DD the following elements to explicitly register 
the jsp "/displayinventory.jsp", then isUserInRole works as expected:

 <servlet>
   <servlet-name>/displayinventory.jsp</servlet-name>
   <jsp-file>/displayinventory.jsp</jsp-file>
 </servlet>

 <servlet-mapping>
   <servlet-name>/displayinventory.jsp</servlet-name>
   <url-pattern>/displayinventory.jsp</url-pattern>
 </servlet-mapping>


Indeed, with this explicit mapping, when isUserInRole is executed, the 
Permission to be tested is:
(javax.security.jacc.WebRoleRefPermission /displayinventory.jsp 
administrator)


And the Permissions is:
[EMAIL PROTECTED] (

(javax.security.jacc.WebRoleRefPermission /displayinventory.jsp 
administrator)

(javax.security.jacc.WebRoleRefPermission PopulateServlet administrator)

(javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor 
administrator)

(javax.security.jacc.WebResourcePermission /RcvrRequestProcessor GET,POST)
)


As a matter of fact, I am not sure if this is a bug in our 
implementation or in PetStore (FYI, I have found another configuration 
issue for an ejb-jar.xml DD).


Any idea?

Thanks,
Gianny























					Reply via email to