[jira] Commented: (GERONIMO-2695) Requests using Non-secure HTTP connections cannot access unsecured web resources

[Vamsavardhana Reddy (JIRA)]

    [ 
https://issues.apache.org/jira/browse/GERONIMO-2695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12463027
 ] 

Vamsavardhana Reddy commented on GERONIMO-2695:
-----------------------------------------------

GERONIMO-2695-1.1.x.patch:

Jeff, I have verified on branches\1,2 that your fix addressed the dup 
GERONIMO-2339.  I have back-ported the fix to branches\1.1 and verified 
GERONIMO-2339.  Can you commit the fix to branches\1.1?  I have created 
GERONIMO-2695-1.1.x.patch for you to make it simpler.

> Requests using Non-secure HTTP connections cannot access unsecured web 
> resources
> --------------------------------------------------------------------------------
>
>                 Key: GERONIMO-2695
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-2695
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security, Tomcat, web
>    Affects Versions: 1.1.1
>         Environment: Geronimo running on Windows XP
>            Reporter: Aman Nanner
>         Assigned To: Jeff Genender
>         Attachments: GERONIMO-2695-1.1.x.patch, test.war
>
>
> Consider the following fragment of my web.xml in my WAR:
> ----
>    <security-constraint>
>       <display-name>Unsecure Constraint</display-name>
>       <web-resource-collection>
>          <web-resource-name>Unsecure Resource Collection</web-resource-name>
>          <url-pattern>/common/error/*</url-pattern>
>          <url-pattern>/common/includes/*</url-pattern>
>          <url-pattern>/common/Message.jsp</url-pattern>
>          <url-pattern>/common/resources/*</url-pattern>
>          <url-pattern>/common/security/login.jsp</url-pattern>
>          <url-pattern>/common/security/logout.jsp</url-pattern>
>          <url-pattern>/servlet/branding/*</url-pattern>
>          <url-pattern>/servlet/image/*</url-pattern>
>          <url-pattern>/servlet/login/*</url-pattern>
>          <url-pattern>/servlet/definecookie</url-pattern>
>          <http-method>GET</http-method>
>          <http-method>POST</http-method>
>       </web-resource-collection>
>       <user-data-constraint>
>          <transport-guarantee>NONE</transport-guarantee>
>       </user-data-constraint>
>    </security-constraint>
>    <security-constraint>
>       <display-name>Secure Constraint</display-name>
>       <web-resource-collection>
>          <web-resource-name>Secure Resource Collection</web-resource-name>
>          <url-pattern>/</url-pattern>
>          <http-method>GET</http-method>
>          <http-method>POST</http-method>
>       </web-resource-collection>
>       <auth-constraint>
>          <role-name>MXSYSTEM</role-name>
>       </auth-constraint>
>       <user-data-constraint>
>          <transport-guarantee>NONE</transport-guarantee>
>       </user-data-constraint>
>    </security-constraint>
>    <login-config>
>       <auth-method>FORM</auth-method>
>       <form-login-config>
>          <form-login-page>/common/security/PreLogin.jsp</form-login-page>
>          <form-error-page>/common/security/error.jsp</form-error-page>
>       </form-login-config>
>    </login-config>
>    <security-role>
>       <description>Application System Role</description>
>       <role-name>MXSYSTEM</role-name>
>    </security-role>
> ----
> There are two sets of web resources defined: a secured web resource 
> collection, and an unsecured web resource collection.  The secured web 
> collection is by default everything that matches the "/" pattern.  In the 
> unsecured web collection, we use specific URL patterns so that certain 
> resources can be accessed prior to login.  Note that there is no security 
> role defined for the unsecured web resource collection, as these resources 
> should be available to every request.
> The problem is that access is denied to to the unsecured web resource 
> collection, even though they are defined as unsecured.  A blank HTML page is 
> returned instead of the appropriate resource.  After some debugging, I 
> discovered what seems to be a bug in the 
> org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm class.  Consider the 
> following code fragment in the hasResourceCollection(...) method:
> ----
>         // Which user principal have we already authenticated?
>         Principal principal = request.getUserPrincipal();
>         //If we have no principal, then we should use the default.
>         if (principal == null) {
>             return request.isSecure();
>         } else {
>             Subject currentCaller = ((JAASTomcatPrincipal) 
> principal).getSubject();
>             ContextManager.setCallers(currentCaller, currentCaller);
>         }
> ----
> When I make an HTTP connection to an unsecure web resource, I am 
> unauthenticated before I can login.  Thus, the principal in this case is 
> null.  In the case of a null principal, the code seems to base its 
> authorization on whether or not the request is secure!  This seems very 
> strange to me, as it should be able to accept normal, unauthenticated, HTTP 
> connections to unsecure web resources.
> I tried accessing the unsecured web resources over HTTPS, and sure enough, I 
> was able to access them because of the secure connection.  I'm not sure why 
> this works only over HTTPS...it should work in both cases.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira