Hi, I have a Struts application which is not being protected as I expected. What happens is that my Struts actions can be accessed directly, no matter what my role is, as long as I am logged in. For example, I have a JSP menu that does the following:
if (userRole == 'admin') { [Show URL to delete elements from database] } else { [Show URL to display information only] } When I log in as an admin, I se the [Delete] link and when I log in as a user I see the [Display] link only. However, when I type the URL to delete a database element in the URL bar, elements are deleted even if I am not an admin. So, I can enter: http://localhost/webContext/DeleteAction?uniqueId=foo and element 'foo' will be deleted from the database. I expected a "Permission denied" exception. Here are the relevant portions of my configuration: Web.xml: | <security-constraint> | <web-resource-collection> | <web-resource-name>secure-web-component-names</web-resource-name> | <url-pattern>/PlanTypeComponentSelectAction.do</url-pattern> | <url-pattern>/PlanTypeComponentCreateAction.do</url-pattern> | <url-pattern>/PlanTypeComponentRetrieveAction.do</url-pattern> | <url-pattern>/PlanTypeComponentUpdateAction.do</url-pattern> | <url-pattern>/PlanTypeComponentDeleteAction.do</url-pattern> | </web-resource-collection> | <auth-constraint> | <role-name>admin</role-name> | </auth-constraint> | </security-constraint> | login-config.xml: | <application-policy name = "tme_security_realm"> | <authentication> | <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" | flag = "required"> | <module-option name = "dsJndiName">java:/DefaultDS</module-option> | <module-option name = "principalsQuery">SELECT SEC_USER_PASSWORD FROM sec_user WHERE SEC_USER_USERID=?</module-option> | <module-option name = "rolesQuery"> | SELECT sec_role_Name,'Roles' FROM sec_Role, sec_user, sec_userrole | WHERE sec_user_USERID=? | and sec_role.sec_role_uuid=sec_userrole_role_uuid | and sec_user.sec_user_uuid=sec_userrole_role_uuid | </module-option> | </login-module> | <login-module code="org.jboss.security.ClientLoginModule" flag="required" /> | </authentication> | </application-policy> | | tomcat's server.xml: | <Valve className="org.apache.catalina.authenticator.SingleSignOn" | debug="0"/> | and debugging output: | DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /webContext/PlanTypeComponentDeleteAction.do | DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Standard-Struts-Administrative-Actions]' against GET /PlanTypeComponentDeleteAction.do --> false | DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[AlturaForceContainerLogin]' against GET /PlanTypeComponentDeleteAction.do --> false | DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure-Main-Menu]' against GET /PlanTypeComponentDeleteAction.do --> false | DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> true | DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false | DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false | DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false | DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false | DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false | DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false | DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false | DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission() | DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions | DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() | DEBUG [org.apache.catalina.authenticator.FormAuthenticator] SSO Id E110D62A46E07BE6CD6E0D69E491A975 set; attempting reauthentication | DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Reauthenticated cached principal 'user' with auth type 'FORM' | DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl() | DEBUG [org.apache.catalina.realm.RealmBase] Checking roles user | DEBUG [org.apache.catalina.realm.RealmBase] No role found: admin | DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints | DEBUG [org.apache.catalina.core.StandardWrapper] Returning non-STM instance | I don't understand what the "true" above means here and why there is a re-login going on. I'm guessing that may be explaining some of the problems I'm seeing. Any ideas? Thanks, L View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898956#3898956 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898956 ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user