Details
-
Bug
-
Resolution: Done
-
Major
-
JBossAS-4.0.0 Final
-
None
Description
SourceForge Submitter: skinser .
During deployment When a WebResourcePermission or a
WebUserDataPermission is constructed by
the AbstractWebDeployer for a security-constraint that
doesn't specify a http-method element,
the httpMethods instance variable will be empty. JBoss
does this correctly and conforms to
section 3.1.3.1 of the JACC 1.0 specification.
The defect occurs when the JaccAuthorizationRealm's
hasResourcePermission consults the policy for the
authorization decision.
For example, when a user sends a HTTP Get Request to a
resource, the hasResourcePermission correctly
constructs a new WebResourcePermission object with the
actions set to GET. The JaccAuthorizationRealm then
passes this object to the policy for the authorization
decision. The policy matches the target
WebResourcePermission with a WebResourcePermission
inside of the ContextPolicy, but the implies method of
the WebResourcePermission checks that GET is included
in its httpMethods and returns false since httpMethods
is empty. The WebResourcePermission class improperly
handles an empty httpMethods. The proper way is to
check for an empty httpMethods before checking that all
of the httpMethods in the desired WebResourcePermission
are contained in the granted WebResourcePermission.
The defect in the WebResourcePermission implies method
is also in the implies method of the
WebUserDataPermission class.
An alternative to modifying the implies methods would
be to modify the AbstractWebDeployer class to
explicitly populate the httpMethods in the permission
objects with all of the http methods.
To duplicate, take a fresh install of JBoss 4.0.0,
install the tomcat50-service.jar patch, unzip the
webapp.zip file, and run JBoss default server. Open
http://localhost:8080/webapp/index.jsp and authenticate
as admin with a password of test (see user.properties
file in zip). You should be granted access according to
web.xml, but will be denied access due to this defect.
See the log for more confirmation.