[GERONIMO-1480] Cross context include does not set jacc contextID for 2nd web app. (Tomcat only) - ASF JIRA

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 1.1, 1.2
Fix Version/s: 1.1, 1.2
Component/s: Tomcat
Security Level: public (Regular issues)
Labels:
None

Description

If you do a cross context include from web app A to web app B, the jacc contextID fetched from PolicyContext when you evaluate isUserInRole in web app B is the contextID for A, not B.

Presumably the cross context dispatch does not go through the PolicyContextValve for B. Here's a thread trace that demonstrates this, with a couple annotations.

http-0.0.0.0-8080-Processor24@43e daemon prio=5, in group "main", status: RUNNING
implies():80, GeronimoPolicy.java
implies():46, JaasPolicyCoordinator.java
implies():189, ProtectionDomain.java
checkPermission():254, AccessControlContext.java
hasRole():248, TomcatGeronimoRealm.java
isUserInRole():2128, Request.java
isUserInRole():761, RequestFacade.java
isUserInRole():163, HttpServletRequestWrapper.java
isUserInRole():163, HttpServletRequestWrapper.java
isUserInRole():163, HttpServletRequestWrapper.java
isUserInRole():163, HttpServletRequestWrapper.java
isUserInRole():265, PortletRequestImpl.java
_jspService():46, roles.jsp
service():97, HttpJspBase.java
service():688, HttpServlet.java
service():322, JspServletWrapper.java
serviceJspFile():314, JspServlet.java
service():264, JspServlet.java
service():688, HttpServlet.java
internalDoFilter():252, ApplicationFilterChain.java
doFilter():173, ApplicationFilterChain.java
invoke():672, ApplicationDispatcher.java
doInclude():574, ApplicationDispatcher.java
include():499, ApplicationDispatcher.java
include():72, JetspeedRequestDispatcher.java
doView():363, GenericServletPortlet.java
doDispatch():250, GenericPortlet.java
render():178, GenericPortlet.java
render():102, JetspeedPortletInstance.java

THIS IS WEB APP B
doGet():230, JetspeedContainerServlet.java
service():595, HttpServlet.java
service():688, HttpServlet.java
internalDoFilter():252, ApplicationFilterChain.java
doFilter():173, ApplicationFilterChain.java
invoke():672, ApplicationDispatcher.java
doInclude():574, ApplicationDispatcher.java
include():499, ApplicationDispatcher.java

THIS IS A INCLUDING B
invoke():213, ServletPortletInvoker.java
render():125, ServletPortletInvoker.java
renderPortlet():119, PortletContainerImpl.java
renderPortlet():120, JetspeedPortletContainerWrapper.java
execute():120, RenderingJobImpl.java
renderNow():110, PortletRendererImpl.java
aggregateAndRender():199, PageAggregatorImpl.java
aggregateAndRender():182, PageAggregatorImpl.java
build():106, PageAggregatorImpl.java
invoke():48, AggregatorValve.java
invokeNext():166, JetspeedPipeline.java
invoke():132, ActionValveImpl.java
invokeNext():166, JetspeedPipeline.java
invoke():76, ContainerValve.java
invokeNext():166, JetspeedPipeline.java
invoke():100, DecorationValve.java
invokeNext():166, JetspeedPipeline.java
invoke():179, ProfilerValveImpl.java
invokeNext():166, JetspeedPipeline.java
invoke():143, LoginValidationValveImpl.java
invokeNext():166, JetspeedPipeline.java
invoke():148, PasswordCredentialValveImpl.java
invokeNext():166, JetspeedPipeline.java
invoke():168, LocalizationValveImpl.java
invokeNext():166, JetspeedPipeline.java
run():117, AbstractSecurityValve.java
doPrivileged():-1, AccessController.java
doAsPrivileged():437, Subject.java
invoke():111, AbstractSecurityValve.java
invokeNext():166, JetspeedPipeline.java
invoke():55, PortalURLValveImpl.java
invokeNext():166, JetspeedPipeline.java
invoke():128, CapabilityValveImpl.java
invokeNext():166, JetspeedPipeline.java
invoke():145, JetspeedPipeline.java
service():231, JetspeedEngine.java

THIS IS WEB APP A:
doGet():226, JetspeedServlet.java
service():595, HttpServlet.java
service():688, HttpServlet.java
internalDoFilter():252, ApplicationFilterChain.java
doFilter():173, ApplicationFilterChain.java
invoke():672, ApplicationDispatcher.java
processRequest():463, ApplicationDispatcher.java
doForward():398, ApplicationDispatcher.java
forward():301, ApplicationDispatcher.java
doForward():693, PageContextImpl.java
forward():660, PageContextImpl.java
_jspService():16, index.jsp
service():97, HttpJspBase.java
service():688, HttpServlet.java
service():322, JspServletWrapper.java
serviceJspFile():314, JspServlet.java
service():264, JspServlet.java
service():688, HttpServlet.java
internalDoFilter():252, ApplicationFilterChain.java
doFilter():173, ApplicationFilterChain.java
invoke():213, StandardWrapperValve.java
invoke():178, StandardContextValve.java
invoke():52, DefaultSubjectValve.java
invoke():432, AuthenticatorBase.java
invoke():262, GeronimoStandardContext.java
invoke():52, PolicyContextValve.java
invoke():53, TransactionContextValve.java
invoke():47, ComponentContextValve.java
invoke():60, InstanceContextValve.java
invoke():126, StandardHostValve.java
invoke():105, ErrorReportValve.java
invoke():107, StandardEngineValve.java
invoke():541, AccessLogValve.java
service():148, CoyoteAdapter.java
process():868, Http11Processor.java
processConnection():663, Http11BaseProtocol.java
processSocket():527, PoolTcpEndpoint.java
runIt():80, LeaderFollowerWorkerThread.java
run():684, ThreadPool.java
run():552, Thread.java

This demonstrates that cross context dispatch should not be used on geronimo-tomcat until this and related problems are fixed. Aside from the wrong security permissions being applied, the jndi context is wrong.

Cross context include does not set jacc contextID for 2nd web app. (Tomcat only)

Details

Description

Attachments

Activity

People

Dates