[jira] Commented: (GERONIMO-2695) Requests using Non-secure HTTP connections cannot access unsecured web resources

Thu, 04 Jan 2007 16:43:49 -0800 

    [ 
https://issues.apache.org/jira/browse/GERONIMO-2695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12462374
 ] 

Jeff Genender commented on GERONIMO-2695:
-----------------------------------------

"Actually, I can omit the secured resource collection completely and I still 
experience the same issue. The test WAR that I included only has an unsecured 
resource collection and thus demonstrates this."

Yep and this is my point.  I believe your web.xml is wrong.  Here is the 
changes to the web.xml you put in your example and it works absolutely fine for 
me:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"; version="2.4">
   <display-name>Test Web Application</display-name>
        <security-constraint>
                <display-name>Secure Constraint</display-name>
                <web-resource-collection>
                        <web-resource-name>Secure Resource 
Collection</web-resource-name>
                        <url-pattern>/</url-pattern>
                        <http-method>GET</http-method>
                        <http-method>POST</http-method>
                </web-resource-collection>
                <auth-constraint>
                        <role-name>MXSYSTEM</role-name>
                </auth-constraint>
                <user-data-constraint>
                        <transport-guarantee>NONE</transport-guarantee>
                </user-data-constraint>
        </security-constraint>
   <security-constraint>
      <display-name>Unsecure Constraint</display-name>
      <web-resource-collection>
         <web-resource-name>Unsecure Resource Collection</web-resource-name>
         <url-pattern>/index.html</url-pattern>
         <url-pattern>/login.html</url-pattern>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
      </web-resource-collection>
                <auth-constraint>
                <role-name>*</role-name>
                </auth-constraint>
      <user-data-constraint>
         <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
   </security-constraint>
   <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
         <form-login-page>/login.html</form-login-page>
         <form-error-page>/login.html</form-error-page>
      </form-login-config>
   </login-config>
   <security-role>
      <description>Maintenix Application System Role</description>
      <role-name>MXSYSTEM</role-name>
   </security-role>
</web-app>

> Requests using Non-secure HTTP connections cannot access unsecured web 
> resources
> --------------------------------------------------------------------------------
>
>                 Key: GERONIMO-2695
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-2695
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security, Tomcat, web
>    Affects Versions: 1.1.1
>         Environment: Geronimo running on Windows XP
>            Reporter: Aman Nanner
>         Attachments: test.war
>
>
> Consider the following fragment of my web.xml in my WAR:
> ----
>    <security-constraint>
>       <display-name>Unsecure Constraint</display-name>
>       <web-resource-collection>
>          <web-resource-name>Unsecure Resource Collection</web-resource-name>
>          <url-pattern>/common/error/*</url-pattern>
>          <url-pattern>/common/includes/*</url-pattern>
>          <url-pattern>/common/Message.jsp</url-pattern>
>          <url-pattern>/common/resources/*</url-pattern>
>          <url-pattern>/common/security/login.jsp</url-pattern>
>          <url-pattern>/common/security/logout.jsp</url-pattern>
>          <url-pattern>/servlet/branding/*</url-pattern>
>          <url-pattern>/servlet/image/*</url-pattern>
>          <url-pattern>/servlet/login/*</url-pattern>
>          <url-pattern>/servlet/definecookie</url-pattern>
>          <http-method>GET</http-method>
>          <http-method>POST</http-method>
>       </web-resource-collection>
>       <user-data-constraint>
>          <transport-guarantee>NONE</transport-guarantee>
>       </user-data-constraint>
>    </security-constraint>
>    <security-constraint>
>       <display-name>Secure Constraint</display-name>
>       <web-resource-collection>
>          <web-resource-name>Secure Resource Collection</web-resource-name>
>          <url-pattern>/</url-pattern>
>          <http-method>GET</http-method>
>          <http-method>POST</http-method>
>       </web-resource-collection>
>       <auth-constraint>
>          <role-name>MXSYSTEM</role-name>
>       </auth-constraint>
>       <user-data-constraint>
>          <transport-guarantee>NONE</transport-guarantee>
>       </user-data-constraint>
>    </security-constraint>
>    <login-config>
>       <auth-method>FORM</auth-method>
>       <form-login-config>
>          <form-login-page>/common/security/PreLogin.jsp</form-login-page>
>          <form-error-page>/common/security/error.jsp</form-error-page>
>       </form-login-config>
>    </login-config>
>    <security-role>
>       <description>Application System Role</description>
>       <role-name>MXSYSTEM</role-name>
>    </security-role>
> ----
> There are two sets of web resources defined: a secured web resource 
> collection, and an unsecured web resource collection.  The secured web 
> collection is by default everything that matches the "/" pattern.  In the 
> unsecured web collection, we use specific URL patterns so that certain 
> resources can be accessed prior to login.  Note that there is no security 
> role defined for the unsecured web resource collection, as these resources 
> should be available to every request.
> The problem is that access is denied to to the unsecured web resource 
> collection, even though they are defined as unsecured.  A blank HTML page is 
> returned instead of the appropriate resource.  After some debugging, I 
> discovered what seems to be a bug in the 
> org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm class.  Consider the 
> following code fragment in the hasResourceCollection(...) method:
> ----
>         // Which user principal have we already authenticated?
>         Principal principal = request.getUserPrincipal();
>         //If we have no principal, then we should use the default.
>         if (principal == null) {
>             return request.isSecure();
>         } else {
>             Subject currentCaller = ((JAASTomcatPrincipal) 
> principal).getSubject();
>             ContextManager.setCallers(currentCaller, currentCaller);
>         }
> ----
> When I make an HTTP connection to an unsecure web resource, I am 
> unauthenticated before I can login.  Thus, the principal in this case is 
> null.  In the case of a null principal, the code seems to base its 
> authorization on whether or not the request is secure!  This seems very 
> strange to me, as it should be able to accept normal, unauthenticated, HTTP 
> connections to unsecure web resources.
> I tried accessing the unsecured web resources over HTTPS, and sure enough, I 
> was able to access them because of the secure connection.  I'm not sure why 
> this works only over HTTPS...it should work in both cases.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to