Details
Description
Consider the following fragment of my web.xml in my WAR:
<security-constraint>
<display-name>Unsecure Constraint</display-name>
<web-resource-collection>
<web-resource-name>Unsecure Resource Collection</web-resource-name>
<url-pattern>/common/error/*</url-pattern>
<url-pattern>/common/includes/*</url-pattern>
<url-pattern>/common/Message.jsp</url-pattern>
<url-pattern>/common/resources/*</url-pattern>
<url-pattern>/common/security/login.jsp</url-pattern>
<url-pattern>/common/security/logout.jsp</url-pattern>
<url-pattern>/servlet/branding/*</url-pattern>
<url-pattern>/servlet/image/*</url-pattern>
<url-pattern>/servlet/login/*</url-pattern>
<url-pattern>/servlet/definecookie</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>Secure Constraint</display-name>
<web-resource-collection>
<web-resource-name>Secure Resource Collection</web-resource-name>
<url-pattern>/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>MXSYSTEM</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/common/security/PreLogin.jsp</form-login-page>
<form-error-page>/common/security/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Application System Role</description>
<role-name>MXSYSTEM</role-name>
</security-role>
There are two sets of web resources defined: a secured web resource collection, and an unsecured web resource collection. The secured web collection is by default everything that matches the "/" pattern. In the unsecured web collection, we use specific URL patterns so that certain resources can be accessed prior to login. Note that there is no security role defined for the unsecured web resource collection, as these resources should be available to every request.
The problem is that access is denied to to the unsecured web resource collection, even though they are defined as unsecured. A blank HTML page is returned instead of the appropriate resource. After some debugging, I discovered what seems to be a bug in the org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm class. Consider the following code fragment in the hasResourceCollection(...) method:
// Which user principal have we already authenticated?
Principal principal = request.getUserPrincipal();
//If we have no principal, then we should use the default.
if (principal == null)
else
{ Subject currentCaller = ((JAASTomcatPrincipal) principal).getSubject(); ContextManager.setCallers(currentCaller, currentCaller); }When I make an HTTP connection to an unsecure web resource, I am unauthenticated before I can login. Thus, the principal in this case is null. In the case of a null principal, the code seems to base its authorization on whether or not the request is secure! This seems very strange to me, as it should be able to accept normal, unauthenticated, HTTP connections to unsecure web resources.
I tried accessing the unsecured web resources over HTTPS, and sure enough, I was able to access them because of the secure connection. I'm not sure why this works only over HTTPS...it should work in both cases.
Attachments
Attachments
Issue Links
- is duplicated by
-
GERONIMO-2339 Empty auth-constraint tag in web app security-constraint does not prevent access to resource
- Closed