I think our behavior is correct. I don't quite understand what the
other possibilities are. FWIW, I don't think we should bend over
backward to support jsp pages not mentioned web.xml.
thanks
david jencks
On Jul 28, 2005, at 7:52 PM, Jeff Genender wrote:
Yes...there might be a bug here...
IIRC, the Jetty JACC code did not test for JACC v1.0 section B.19
which is an explicit test for JSPs under JACC. I am not sure if this
is the case here...but it sounds like it.
I would like to see what David Jencks or Alan thinks about this.
Jeff
Gianny Damour wrote:
Hi,
I have been trying to understand why I was not able to make the Java
Pet Store Supplier Application to pass a security check and I think
that I have discovered a potential bug. Prior to log it, I would like
to confirm that this is not a code issue in PetStore.
The scenario is rather simple:
* the url "/RcvrRequestProcessor" is secured and only the
"administator" role can access it;
* a FORM based authentication is configured to log in the users;
* the url "/RcvrRequestProcessor" plays the role of a dispatcher
servlet and forwards to the jsp file "/displayinventory.jsp";
* within the jsp "/displayinventory.jsp" there is the following
security check " request.isUserInRole("administrator")"; and
* this security check fails.
I think that the security configuration is OK as I can log in and
successfully access the url "/RcvrRequestProcessor", which requires
an "administrator" role.
However, isUserInRole fails. This is the Permission which is tested:
(javax.security.jacc.WebRoleRefPermission jsp administrator)
Against the following Permissions:
[EMAIL PROTECTED] (
(javax.security.jacc.WebResourcePermission /RcvrRequestProcessor
GET,POST)
(javax.security.jacc.WebRoleRefPermission PopulateServlet
administrator)
(javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor
administrator)
)
The "jsp" portion of the Permission being tested is the name of the
servlet being processed and comes from a JettyServletHolder
automatically registered for the processing of jsp files.
If I add to the web.xml DD the following elements to explicitly
register the jsp "/displayinventory.jsp", then isUserInRole works as
expected:
<servlet>
<servlet-name>/displayinventory.jsp</servlet-name>
<jsp-file>/displayinventory.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>/displayinventory.jsp</servlet-name>
<url-pattern>/displayinventory.jsp</url-pattern>
</servlet-mapping>
Indeed, with this explicit mapping, when isUserInRole is executed,
the Permission to be tested is:
(javax.security.jacc.WebRoleRefPermission /displayinventory.jsp
administrator)
And the Permissions is:
[EMAIL PROTECTED] (
(javax.security.jacc.WebRoleRefPermission /displayinventory.jsp
administrator)
(javax.security.jacc.WebRoleRefPermission PopulateServlet
administrator)
(javax.security.jacc.WebRoleRefPermission RcvrRequestProcessor
administrator)
(javax.security.jacc.WebResourcePermission /RcvrRequestProcessor
GET,POST)
)
As a matter of fact, I am not sure if this is a bug in our
implementation or in PetStore (FYI, I have found another
configuration issue for an ejb-jar.xml DD).
Any idea?
Thanks,
Gianny
