Details
-
Bug
-
Resolution: Done
-
Critical
-
JBossAS-4.0.2RC1
-
None
Description
AbstractWebDeployer adds more unchecked permissions to the JACC policy provider than it should. The impact of this bug is that users can obtain access to resources that they should not have had access to.
Here is a pair of security constraints that causes the problem to show up:
<security-constraint>
<auth-constraint>
<role-name>RoleA</role-name>
</auth-constraint>
<web-resource-collection>
<web-resource-name>exact, get method, roleA</web-resource-name>
<url-pattern>/protected/exact/get/roleA</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<auth-constraint>
<role-name>RoleB</role-name>
</auth-constraint>
<web-resource-collection>
<web-resource-name>exact, get method, roleA verifier</web-resource-name>
<url-pattern>/protected/exact/get/roleA</url-pattern>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>OPTIONS</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
</security-constraint>
In response to these two security constraints, the AbstractWebDeployer adds the following WebResourcePermission objects to the JACC policy provider:
unchecked permissions
javax.security.jacc.WebResourcePermission /protected/exact/get/roleA
javax.security.jacc.WebUserDataPermission /protected/exact/get/roleA GET:NONE
javax.security.jacc.WebUserDataPermission /protected/exact/get/roleA DELETE,HEAD,OPTIONS,POST,PUT,TRACE
excluded permissions
RoleA permissions
javax.security.jacc.WebResourcePermission /protected/exact/get/roleA GET
RoleB permissions
javax.security.jacc.WebResourcePermission /protected/exact/get/roleA DELETE,HEAD,OPTIONS,POST,PUT,TRACE
From what I can tell, the AbstractWebDepoyer is attempting to satisfy a requirement in section 3.1.3.1 of the JACC specification that states that, "a web resource permission ... must be added to the unchecked policy statements for each url-pattern in the deployment descriptor ... that is not combined by the web-resource-collection elements of the deployment descriptor with every HTTP method value."
The expected behavior would be for the AbstractWebDepoyer to not add any unchecked permissions for these two security constraints since every HTTP method value is represented for the /protected/exact/get/roleA url pattern, even though it requires a union of all the security constraints that state the url pattern. I surmise that the AbstractWebDepoyer needs to be more selective when adding entries to the patternsWithHttpMethodSubsetsWRP and patternsWithHttpMethodSubsetsWUDP maps.