I found this bug report-
http://znutar.cortexity.com/BugRatViewer/ShowReport/757. I think this is
what we are talking about. It has already been fixed in 3.2.2beta3. I
installed it and my problem seems to have been solved. I will be interested
to know if this beta3 release solves the problems others have posted in this
thread "Auth bug in 3.2.1".
Rajesh
>From: "Jeff Kilbride" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: <[EMAIL PROTECTED]>
>Subject: Re: Auth bug in 3.2.1?
>Date: Sat, 14 Apr 2001 16:01:20 -0700
>
>Hi Thom,
>
>Thanks for posting a solution! I was just about to start exploring
>JDBCRealms.
>
>Did you post this as a patch to the Tomcat-dev list? If not, that might be
>the best first step, since it looks like you've solved the problem. Who
>knows how long it will take for someone on the Dev side to read through
>this
>list and find this thread...
>
>--jeff
>
>----- Original Message -----
>From: "Rajesh A" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Saturday, April 14, 2001 8:12 AM
>Subject: Re: Auth bug in 3.2.1?
>
>
> > I completely agree with Marc. This is a very serious problem and if I
> > understand Thom's mail right, it affects ALL realms including
>SimpleRealm,
> > JDBCRealm etc.
> >
> > I also request others using tomcat auth to revisit their applications
>and
> > make sure users and roles are being assigned properly. Perhaps many may
>be
> > hit by this problem but have not discovered it yet. Without a solution
>to
> > this problem I will have to redesign security for my application and
>that
> > will blow my project plan!
> >
> > We already seem to have a solution posted by Thom Park. Can someone from
> > tomcat dev please consider it and release a patch?
> >
> > Please help.
> >
> > Rajesh
> >
> >
> > >From: Marc Palmer <[EMAIL PROTECTED]>
> > >Reply-To: [EMAIL PROTECTED]
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: Auth bug in 3.2.1?
> > >Date: Sat, 14 Apr 2001 08:08:21 GMT
> > >
> > > >Hi Marc,
> > > >I saw this problem in 3.2.1 as well - I made a fix for it in the
>tomcat
> > >that ships with the Borland AppServer >but
> > > >couldn't get anyone to comment on the fix in the main code-line
> > >(essentially I'm not a commiter so couldn't >submit the fix)
> > >Hi Thom,
> > >Thanks for the info. Can someone from the Tomcat development team
>please
> > >comment on this? I would have thought that this was quite a serious
> > >security problem - am I wrong?
> > >The way I see it, the bug could lead to anybody grabbing another user's
> > >role while appearing to be somebody else. This is certainly possible if
> > >you use somebody else's PC after they have. It may be even worse if you
> > >can also do this from a different PC - essentially getting a "random"
> > >role that somebody else already "provided" by logging in. Not to
>mention
> > >plain old failure in the case where a higher "privileged" person get's
>a
> > >lower privileged role allocated. It's not clear at this time whether
>the
> > >principal caching is tied to IP or "per pooled connection". If the
> > >latter, it's a bit more scary.
> > >So once again, can someone from the Tomcat team PLEASE comment on this
> > >problem and whether a fix is being implemented? Perhaps there is too
>much
> > >work/redesign going on in 4.0 for people to consider patching 3.2.x but
>I
> > >would have thought this is pretty essential, and perhaps even merits a
> > >post to the BUGTRAQ mailing list. We already have 3 confirmed
>"sufferers"
> > >- who knows how many systems that depend on tomcat have slipped through
> > >the net and represent significant authentication breaches?
> > >
> > >Cheers
> > >
> > >
> >
> >
>_________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at
>http://www.hotmail.com.
> >
>
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
