Yes...there might be a bug here...
IIRC, the Jetty JACC code did not test for JACC v1.0 section B.19 which
is an explicit test for JSPs under JACC. I am not sure if this is the
case here...but it sounds like it.
I would like to see what David Jencks or Alan thinks about this.
Jeff
Gianny Damour wrote:
Hi,
I have been trying to understand why I was not able to make the Java Pet
Store Supplier Application to pass a security check and I think that I
have discovered a potential bug. Prior to log it, I would like to
confirm that this is not a code issue in PetStore.
The scenario is rather simple:
* the url "/RcvrRequestProcessor" is secured and only the "administator"
role can access it;
* a FORM based authentication is configured to log in the users;
* the url "/RcvrRequestProcessor" plays the role of a dispatcher servlet
and forwards to the jsp file "/displayinventory.jsp";
* within the jsp "/displayinventory.jsp" there is the following security
check " request.isUserInRole("administrator")"; and
* this security check fails.
I think that the security configuration is OK as I can log in and
successfully access the url "/RcvrRequestProcessor", which requires an
"administrator" role.
However, isUserInRole fails. This is the Permission which is tested:
(javax.security.jacc.WebRoleRefPermission jsp administrator)
Against the following Permissions:
[EMAIL PROTECTED] (
(javax.security.jacc.WebResourcePermission /RcvrRequestProcessor GET,POST)
(javax.security.jacc.WebRoleRefPermission PopulateServlet administrator)
(javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor
administrator)
)
The "jsp" portion of the Permission being tested is the name of the
servlet being processed and comes from a JettyServletHolder
automatically registered for the processing of jsp files.
If I add to the web.xml DD the following elements to explicitly register
the jsp "/displayinventory.jsp", then isUserInRole works as expected:
<servlet>
<servlet-name>/displayinventory.jsp</servlet-name>
<jsp-file>/displayinventory.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>/displayinventory.jsp</servlet-name>
<url-pattern>/displayinventory.jsp</url-pattern>
</servlet-mapping>
Indeed, with this explicit mapping, when isUserInRole is executed, the
Permission to be tested is:
(javax.security.jacc.WebRoleRefPermission /displayinventory.jsp
administrator)
And the Permissions is:
[EMAIL PROTECTED] (
(javax.security.jacc.WebRoleRefPermission /displayinventory.jsp
administrator)
(javax.security.jacc.WebRoleRefPermission PopulateServlet administrator)
(javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor
administrator)
(javax.security.jacc.WebResourcePermission /RcvrRequestProcessor GET,POST)
)
As a matter of fact, I am not sure if this is a bug in our
implementation or in PetStore (FYI, I have found another configuration
issue for an ejb-jar.xml DD).
Any idea?
Thanks,
Gianny
