Uploaded image for project: 'Application Server 3 4 5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-1686

AbstractWebDeployer adds more unchecked permissions to the JACC policy provider than it should

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • JBossAS-4.0.2 Final
    • JBossAS-4.0.2RC1
    • Security
    • None

    Description

      AbstractWebDeployer adds more unchecked permissions to the JACC policy provider than it should. The impact of this bug is that users can obtain access to resources that they should not have had access to.

      Here is a pair of security constraints that causes the problem to show up:
      <security-constraint>
      <auth-constraint>
      <role-name>RoleA</role-name>
      </auth-constraint>
      <web-resource-collection>
      <web-resource-name>exact, get method, roleA</web-resource-name>
      <url-pattern>/protected/exact/get/roleA</url-pattern>
      <http-method>GET</http-method>
      </web-resource-collection>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <security-constraint>
      <auth-constraint>
      <role-name>RoleB</role-name>
      </auth-constraint>
      <web-resource-collection>
      <web-resource-name>exact, get method, roleA verifier</web-resource-name>
      <url-pattern>/protected/exact/get/roleA</url-pattern>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>HEAD</http-method>
      <http-method>TRACE</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>DELETE</http-method>
      </web-resource-collection>
      </security-constraint>

      In response to these two security constraints, the AbstractWebDeployer adds the following WebResourcePermission objects to the JACC policy provider:

      unchecked permissions
      javax.security.jacc.WebResourcePermission /protected/exact/get/roleA
      javax.security.jacc.WebUserDataPermission /protected/exact/get/roleA GET:NONE
      javax.security.jacc.WebUserDataPermission /protected/exact/get/roleA DELETE,HEAD,OPTIONS,POST,PUT,TRACE
      excluded permissions
      RoleA permissions
      javax.security.jacc.WebResourcePermission /protected/exact/get/roleA GET
      RoleB permissions
      javax.security.jacc.WebResourcePermission /protected/exact/get/roleA DELETE,HEAD,OPTIONS,POST,PUT,TRACE

      From what I can tell, the AbstractWebDepoyer is attempting to satisfy a requirement in section 3.1.3.1 of the JACC specification that states that, "a web resource permission ... must be added to the unchecked policy statements for each url-pattern in the deployment descriptor ... that is not combined by the web-resource-collection elements of the deployment descriptor with every HTTP method value."

      The expected behavior would be for the AbstractWebDepoyer to not add any unchecked permissions for these two security constraints since every HTTP method value is represented for the /protected/exact/get/roleA url pattern, even though it requires a union of all the security constraints that state the url pattern. I surmise that the AbstractWebDepoyer needs to be more selective when adding entries to the patternsWithHttpMethodSubsetsWRP and patternsWithHttpMethodSubsetsWUDP maps.

      Attachments

        Activity

          People

            starksm64 Scott Stark (Inactive)
            skinser_jira Stephen Kinser (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: