Uploaded image for project: 'Application Server 3 4 5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-1165

JACC incorrect when checking auth for WebResourcePermission

    XMLWordPrintable

Details

    Description

      SourceForge Submitter: skinser .
      During deployment When a WebResourcePermission or a
      WebUserDataPermission is constructed by
      the AbstractWebDeployer for a security-constraint that
      doesn't specify a http-method element,
      the httpMethods instance variable will be empty. JBoss
      does this correctly and conforms to
      section 3.1.3.1 of the JACC 1.0 specification.

      The defect occurs when the JaccAuthorizationRealm's
      hasResourcePermission consults the policy for the
      authorization decision.

      For example, when a user sends a HTTP Get Request to a
      resource, the hasResourcePermission correctly
      constructs a new WebResourcePermission object with the
      actions set to GET. The JaccAuthorizationRealm then
      passes this object to the policy for the authorization
      decision. The policy matches the target
      WebResourcePermission with a WebResourcePermission
      inside of the ContextPolicy, but the implies method of
      the WebResourcePermission checks that GET is included
      in its httpMethods and returns false since httpMethods
      is empty. The WebResourcePermission class improperly
      handles an empty httpMethods. The proper way is to
      check for an empty httpMethods before checking that all
      of the httpMethods in the desired WebResourcePermission
      are contained in the granted WebResourcePermission.

      The defect in the WebResourcePermission implies method
      is also in the implies method of the
      WebUserDataPermission class.

      An alternative to modifying the implies methods would
      be to modify the AbstractWebDeployer class to
      explicitly populate the httpMethods in the permission
      objects with all of the http methods.

      To duplicate, take a fresh install of JBoss 4.0.0,
      install the tomcat50-service.jar patch, unzip the
      webapp.zip file, and run JBoss default server. Open
      http://localhost:8080/webapp/index.jsp and authenticate
      as admin with a password of test (see user.properties
      file in zip). You should be granted access according to
      web.xml, but will be denied access due to this defect.
      See the log for more confirmation.

      Attachments

        Activity

          People

            starksm64 Scott Stark (Inactive)
            sourceforge-user SourceForge legacy user (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: