[jira] Created: (BEEHIVE-635) Tomcat PageflowValve does not check for security-constraints defined in web.xml

Tue, 10 May 2005 03:55:21 -0700 

Tomcat PageflowValve does not check for security-constraints defined in web.xml
-------------------------------------------------------------------------------

         Key: BEEHIVE-635
         URL: http://issues.apache.org/jira/browse/BEEHIVE-635
     Project: Beehive
        Type: Bug
  Components: NetUI  
    Versions: V1Alpha, V1Beta, V1    
 Environment: Using beehive latest from SVN and Tomcat 5.5.7
    Reporter: Abdessattar Sassi


The Tomcat implementation of the Pipeline for a Context is such that only one 
Valve which is also an Authenticator valve is added to the Pipeline. The 
standard Tomcat Authenticator valves (e.g. BasicAuthenticator) check for and 
honor all the security constraints specified in the webapp web.xml descriptor.

The PageflowValve implementation part of tomcat-server under netui is an 
Authenticaor valve as it extends BasicAuthenticator, which means that it is 
mutually exclusive with the regular Tomcat authenticator valves (only one can 
be in the pipeline). It does not however keep the features that were part of 
the AuthenticatorBase and the BasicAuthentiocator invoke() method 
implementation. Such issue results for example in the user-data-constraint 
elements being completely ignored, and therefore pages who are supposed to be 
served only with SSL are always served without SSL.

Following is an example of the code from the regular Tomcat authenticators that 
is missing from beehive adapter (please note that the code is from Tomcat 5.5.7 
with which by the way beehive does not compile, but should give you a good idea 
of the missing features...):

        // Enforce any user data constraint for this security constraint
        if (log.isDebugEnabled()) {
            log.debug(" Calling hasUserDataPermission()");
        }
        Realm realm = this.context.getRealm();
        // Is this request URI subject to a security constraint?
        SecurityConstraint [] constraints
            = realm.findSecurityConstraints(request, this.context);
        if (!realm.hasUserDataPermission(request, response,
                                         constraints)) {
            if (log.isDebugEnabled()) {
                log.debug(" Failed hasUserDataPermission() test");
            }
            /*
             * ASSERT: Authenticator already set the appropriate
             * HTTP status code, so we do not have to do anything special
             */
            return;
        }


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to