Details
-
Bug
-
Resolution: Done
-
Major
-
JBossAS-4.0.2RC1
-
None
Description
The JACC validation for web applications fails when JBoss runs with a secured Tomcat Connector (Attribute secure="true").
The problem appears because the "user-data-constraint" of a web.xml is not used during the JACC Permission creation.
1. JACC Permission Creation (during deployment):
In class TomcatDeployer.createPermissions(), line 933
The creation of a WebResourcePermission uses a httpMethods[] (eg. GET,POST ,?)which stores only the methods without the required security constraint.
Therefore the PermissionMaps (excluded-, unchecked-, rolePermissions) in ContextPolicy will look something like this:
(javax.security.jacc.WebResourcePermission /html/allowed_to_a/* GET)
2. Request Creation (during runtime):
The method WebResourcePermission.requestActions() adds the security state of tomcat connector attribute "secure" to the requested http method:
In method WebResourcePermission.requestActions()
String actions = request.getMethod() + (request.isSecure() ? ":CONFIDENTIAL" : "");
So the " HttpMethodsString " looks like:
HttpMethodsString=GET:CONFIDENTIAL
3. Request Validation:
In ContextPolicy.implies() fails the validation because the entries are different:
Eg:
(javax.security.jacc.WebResourcePermission /html/allowed_to_a/* GET)
(javax.security.jacc.WebResourcePermission /html/allowed_to_a/* GET:CONFIDENTIAL)
How to reproduce this situation:
- Enable JACC in the server.xml of tomcat:
(http://www.jboss.org/wiki/Wiki.jsp?page=JACC) - Add the attribute "secure="true"" to the Connector in the server.xml:
eg:<Connector port="8080" address="${jboss.bind.address} secure="true" - secure a resource in a web.xml
=> the secured resource can never be accessed.
Regards,
Andrea