[
https://issues.apache.org/jira/browse/GERONIMO-2695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12462617
]
Jeff Genender commented on GERONIMO-2695:
-----------------------------------------
Ok I fixed it in 1.2 BRANCH and in 2.0 Trunk. Please try it and let me know if
its fixed (unfortunately you need to build Geronimo). I recommend trying 1.2
since 2.0 is in a state of flux at the moment.
> Requests using Non-secure HTTP connections cannot access unsecured web
> resources
> --------------------------------------------------------------------------------
>
> Key: GERONIMO-2695
> URL: https://issues.apache.org/jira/browse/GERONIMO-2695
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security, Tomcat, web
> Affects Versions: 1.1.1
> Environment: Geronimo running on Windows XP
> Reporter: Aman Nanner
> Assigned To: Jeff Genender
> Attachments: test.war
>
>
> Consider the following fragment of my web.xml in my WAR:
> ----
> <security-constraint>
> <display-name>Unsecure Constraint</display-name>
> <web-resource-collection>
> <web-resource-name>Unsecure Resource Collection</web-resource-name>
> <url-pattern>/common/error/*</url-pattern>
> <url-pattern>/common/includes/*</url-pattern>
> <url-pattern>/common/Message.jsp</url-pattern>
> <url-pattern>/common/resources/*</url-pattern>
> <url-pattern>/common/security/login.jsp</url-pattern>
> <url-pattern>/common/security/logout.jsp</url-pattern>
> <url-pattern>/servlet/branding/*</url-pattern>
> <url-pattern>/servlet/image/*</url-pattern>
> <url-pattern>/servlet/login/*</url-pattern>
> <url-pattern>/servlet/definecookie</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <security-constraint>
> <display-name>Secure Constraint</display-name>
> <web-resource-collection>
> <web-resource-name>Secure Resource Collection</web-resource-name>
> <url-pattern>/</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>MXSYSTEM</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/common/security/PreLogin.jsp</form-login-page>
> <form-error-page>/common/security/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <description>Application System Role</description>
> <role-name>MXSYSTEM</role-name>
> </security-role>
> ----
> There are two sets of web resources defined: a secured web resource
> collection, and an unsecured web resource collection. The secured web
> collection is by default everything that matches the "/" pattern. In the
> unsecured web collection, we use specific URL patterns so that certain
> resources can be accessed prior to login. Note that there is no security
> role defined for the unsecured web resource collection, as these resources
> should be available to every request.
> The problem is that access is denied to to the unsecured web resource
> collection, even though they are defined as unsecured. A blank HTML page is
> returned instead of the appropriate resource. After some debugging, I
> discovered what seems to be a bug in the
> org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm class. Consider the
> following code fragment in the hasResourceCollection(...) method:
> ----
> // Which user principal have we already authenticated?
> Principal principal = request.getUserPrincipal();
> //If we have no principal, then we should use the default.
> if (principal == null) {
> return request.isSecure();
> } else {
> Subject currentCaller = ((JAASTomcatPrincipal)
> principal).getSubject();
> ContextManager.setCallers(currentCaller, currentCaller);
> }
> ----
> When I make an HTTP connection to an unsecure web resource, I am
> unauthenticated before I can login. Thus, the principal in this case is
> null. In the case of a null principal, the code seems to base its
> authorization on whether or not the request is secure! This seems very
> strange to me, as it should be able to accept normal, unauthenticated, HTTP
> connections to unsecure web resources.
> I tried accessing the unsecured web resources over HTTPS, and sure enough, I
> was able to access them because of the secure connection. I'm not sure why
> this works only over HTTPS...it should work in both cases.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
