Jetspeed 2
  1. Jetspeed 2
  2. JS2-496

J2 on tomcat 5.5.15: 403 returned to client browser when any user that doesn't have admin role attempts to log in

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0-FINAL
    • Fix Version/s: 2.1-dev, 2.1
    • Component/s: Security
    • Labels:
      None
    • Environment:
      Tomcat 5.5.15 (JDK 1.5, Apache 2, Fedora Core 3)

      Description

      When J2 is deployed on tomcat 5.5.15, whenever any user that does not have the admin role logs in, a 403 is returned for the URI /login/redirector.

      This does not occur on earlier releases of tomcat (5.5.9 for example).

      The user is in fact authenticated, for if you delete the /login/redirector from the URL in the browser and refresh, then the main page of the portal is shown and the user is authenticated.

        Activity

        Hide
        Ate Douma added a comment -

        Closed again now properly recorded against Fix Version 2.1 as well

        Show
        Ate Douma added a comment - Closed again now properly recorded against Fix Version 2.1 as well
        Hide
        Randy Watler added a comment -

        JS2-496 fix - Support strict interpretation of authenticated role names in web.xml for tomcat 5.5.14+:

        • the '*' role name in <auth-constraint> tags is interpreted as any role define in the
          webapp web.xml file, (not any role the application chooses to pass in the JAAS subject).
        • test for authenticated user using psuedo role returned to container using JAAS subject:

        <security-constraint>
        <web-resource-collection>
        <web-resource-name>Login</web-resource-name>
        <url-pattern>/login/redirector</url-pattern>
        </web-resource-collection>
        <auth-constraint>
        <role-name>portal-user</role-name>
        </auth-constraint>
        </security-constraint>

        • portal user psuedo role name can be specified in security-atn.xml configuration.
        • default portal user psuedo role name is 'portal-user'.
        • user roles defined in J2 remain included in the subject for those that wish to use
          finer grain tests at the container level.
        • this feature may be refined if container managed security is refactored to support
          J2EE style role usage patterns.
        Show
        Randy Watler added a comment - JS2-496 fix - Support strict interpretation of authenticated role names in web.xml for tomcat 5.5.14+: the '*' role name in <auth-constraint> tags is interpreted as any role define in the webapp web.xml file, (not any role the application chooses to pass in the JAAS subject). test for authenticated user using psuedo role returned to container using JAAS subject: <security-constraint> <web-resource-collection> <web-resource-name>Login</web-resource-name> <url-pattern>/login/redirector</url-pattern> </web-resource-collection> <auth-constraint> <role-name>portal-user</role-name> </auth-constraint> </security-constraint> portal user psuedo role name can be specified in security-atn.xml configuration. default portal user psuedo role name is 'portal-user'. user roles defined in J2 remain included in the subject for those that wish to use finer grain tests at the container level. this feature may be refined if container managed security is refactored to support J2EE style role usage patterns.
        Hide
        Brad Svee added a comment -

        adding the following to the web.xml inside the <webapp> </webapp> will take care of the problem in Tomcat 5.5.15, although adding roles through the UI will require a modification here manually:
        <security-role>
        <role-name>
        manager
        </role-name>
        <role-name>
        user
        </role-name>
        <role-name>
        admin
        </role-name>
        </security-role>

        Show
        Brad Svee added a comment - adding the following to the web.xml inside the <webapp> </webapp> will take care of the problem in Tomcat 5.5.15, although adding roles through the UI will require a modification here manually: <security-role> <role-name> manager </role-name> <role-name> user </role-name> <role-name> admin </role-name> </security-role>
        Hide
        Jian Liao added a comment -

        FYI, the following bug is related to this issue:

        1. 37852: Fix regression where the magic role '*' was denying all access. Patch by xrcat (billbarker)
        2. 15570: auth-constraint of * was interpretted as all authenticated users rather than as all roles defined in web.xml. (markt)

        Class: org.apache.catalina.realm.RealmBase, line 726 to 777.
        Link: http://tomcat.apache.org/tomcat-5.5-doc/changelog.html

        • Jian Liao
        Show
        Jian Liao added a comment - FYI, the following bug is related to this issue: 1. 37852: Fix regression where the magic role '*' was denying all access. Patch by xrcat (billbarker) 2. 15570: auth-constraint of * was interpretted as all authenticated users rather than as all roles defined in web.xml. (markt) Class: org.apache.catalina.realm.RealmBase, line 726 to 777. Link: http://tomcat.apache.org/tomcat-5.5-doc/changelog.html Jian Liao
        Hide
        Jian Liao added a comment -

        There is a bug fix in Tomcat 5.5.15(http://issues.apache.org/bugzilla/show_bug.cgi?id=37852) which cause this problem.
        I encounter this issue when I'm working on integration J2 with geronimo, too(http://comments.gmane.org/gmane.comp.java.geronimo.devel/22704). Geronimo has the same behavior as Tomcat 5.5.15. IMHO, it is time for J2 to fix this bug in web.xml by declaring all the security roles in web.xml.

        If you're interesting in JS2-444, download the latest package(geronimo-jetspeed12.zip), you should find that we declare all the security roles in web.xml(app-servers/geronimo/jetspeed-war/src/webapp/WEB-INF).

        HTH,

        • Jian Liao
        Show
        Jian Liao added a comment - There is a bug fix in Tomcat 5.5.15( http://issues.apache.org/bugzilla/show_bug.cgi?id=37852 ) which cause this problem. I encounter this issue when I'm working on integration J2 with geronimo, too( http://comments.gmane.org/gmane.comp.java.geronimo.devel/22704 ). Geronimo has the same behavior as Tomcat 5.5.15. IMHO, it is time for J2 to fix this bug in web.xml by declaring all the security roles in web.xml. If you're interesting in JS2-444 , download the latest package(geronimo-jetspeed12.zip), you should find that we declare all the security roles in web.xml(app-servers/geronimo/jetspeed-war/src/webapp/WEB-INF). HTH, Jian Liao

          People

          • Assignee:
            Randy Watler
            Reporter:
            Aaron Evans
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development