BugRat Report #626 has been filed.

Tue, 19 Dec 2000 13:28:32 -0800 

Bug report #626 has just been filed.

You can view the report at the following URL:

   <http://znutar.cortexity.com/BugRatViewer/ShowReport/626>

REPORT #626 Details.

Project: Tomcat
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: high
Severity: serious
Confidence: public
Environment: 
   Release: 3.2.1
   JVM Release: 1.3.0
   Operating System: Windows 2000
   OS Release: Service pack 1
   Platform: Intel (x86)

Synopsis: 
security-role-ref not observed in isUserInRole()

Description:

NOTE: unable to submit as me ([EMAIL PROTECTED]) as submitter list does not include me 
(after following Create New User Link)

Tomcat 3.2.1's implementation of isUserInRole() does not validate the role
based on the security-role alias defined in a servlet's security-role-ref. Instead
it treats the role-name as an actual role-name. The result is that an incorrect
value is passed to the realm handling user/role validation.

This breaks J2EE 1.2.1 CTS tests for basic security.
Title: BugRat Report # 626

BugRat Report # 626

Project: Tomcat Release: 3.2.1
Category: Bug Report SubCategory: New Bug Report
Class: swbug State: received
Priority: high Severity: serious
Confidence: public

Submitter: _Anonymous ( [EMAIL PROTECTED] )
Date Submitted: Dec 19 2000, 03:36:14 CST
Responsible: Z_Tomcat Alias ( [EMAIL PROTECTED] )

Synopsis:
security-role-ref not observed in isUserInRole()
Environment: (jvm, os, osrel, platform)
1.3.0, Windows 2000, Service pack 1, Intel (x86)

Additional Environment Description:
N/A

Report Description:
NOTE: unable to submit as me ([EMAIL PROTECTED]) as submitter list does not include me (after following Create New User Link) Tomcat 3.2.1's implementation of isUserInRole() does not validate the role based on the security-role alias defined in a servlet's security-role-ref. Instead it treats the role-name as an actual role-name. The result is that an incorrect value is passed to the realm handling user/role validation. This breaks J2EE 1.2.1 CTS tests for basic security.

How To Reproduce:
null

Workaround:
null

View this report online...

Reply via email to