Hi,
I have a Struts application which is not being protected as I expected. What
happens is that my Struts actions can be accessed directly, no matter what my
role is, as long as I am logged in. For example, I have a JSP menu that does
the following:
if (userRole == 'admin') {
[Show URL to delete elements from database]
} else {
[Show URL to display information only]
}
When I log in as an admin, I se the [Delete] link and when I log in as a user I
see the [Display] link only.
However, when I type the URL to delete a database element in the URL bar,
elements are deleted even if I am not an admin. So, I can enter:
http://localhost/webContext/DeleteAction?uniqueId=foo
and element 'foo' will be deleted from the database. I expected a "Permission
denied" exception.
Here are the relevant portions of my configuration:
Web.xml:
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>secure-web-component-names</web-resource-name>
| <url-pattern>/PlanTypeComponentSelectAction.do</url-pattern>
| <url-pattern>/PlanTypeComponentCreateAction.do</url-pattern>
| <url-pattern>/PlanTypeComponentRetrieveAction.do</url-pattern>
| <url-pattern>/PlanTypeComponentUpdateAction.do</url-pattern>
| <url-pattern>/PlanTypeComponentDeleteAction.do</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <role-name>admin</role-name>
| </auth-constraint>
| </security-constraint>
|
login-config.xml:
| <application-policy name = "tme_security_realm">
| <authentication>
| <login-module code =
"org.jboss.security.auth.spi.DatabaseServerLoginModule"
| flag = "required">
| <module-option name =
"dsJndiName">java:/DefaultDS</module-option>
| <module-option name = "principalsQuery">SELECT
SEC_USER_PASSWORD FROM sec_user WHERE SEC_USER_USERID=?</module-option>
| <module-option name = "rolesQuery">
| SELECT sec_role_Name,'Roles' FROM sec_Role, sec_user,
sec_userrole
| WHERE sec_user_USERID=?
| and sec_role.sec_role_uuid=sec_userrole_role_uuid
| and sec_user.sec_user_uuid=sec_userrole_role_uuid
| </module-option>
| </login-module>
| <login-module code="org.jboss.security.ClientLoginModule"
flag="required" />
| </authentication>
| </application-policy>
|
|
tomcat's server.xml:
| <Valve className="org.apache.catalina.authenticator.SingleSignOn"
| debug="0"/>
|
and debugging output:
| DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security
checking request GET /webContext/PlanTypeComponentDeleteAction.do
| DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint
'SecurityConstraint[Standard-Struts-Administrative-Actions]' against GET
/PlanTypeComponentDeleteAction.do --> false
| DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint
'SecurityConstraint[AlturaForceContainerLogin]' against GET
/PlanTypeComponentDeleteAction.do --> false
| DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint
'SecurityConstraint[Secure-Main-Menu]' against GET
/PlanTypeComponentDeleteAction.do --> false
| DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint
'SecurityConstraint[secure-web-component-names]' against GET
/PlanTypeComponentDeleteAction.do --> true
| DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint
'SecurityConstraint[secure-web-component-names]' against GET
/PlanTypeComponentDeleteAction.do --> false
| DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint
'SecurityConstraint[secure-web-component-names]' against GET
/PlanTypeComponentDeleteAction.do --> false
| DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint
'SecurityConstraint[secure-web-component-names]' against GET
/PlanTypeComponentDeleteAction.do --> false
| DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint
'SecurityConstraint[secure-web-component-names]' against GET
/PlanTypeComponentDeleteAction.do --> false
| DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint
'SecurityConstraint[secure-web-component-names]' against GET
/PlanTypeComponentDeleteAction.do --> false
| DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint
'SecurityConstraint[secure-web-component-names]' against GET
/PlanTypeComponentDeleteAction.do --> false
| DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint
'SecurityConstraint[secure-web-component-names]' against GET
/PlanTypeComponentDeleteAction.do --> false
| DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling
hasUserDataPermission()
| DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no
restrictions
| DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling
authenticate()
| DEBUG [org.apache.catalina.authenticator.FormAuthenticator] SSO Id
E110D62A46E07BE6CD6E0D69E491A975 set; attempting reauthentication
| DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]
Reauthenticated cached principal 'user' with auth type 'FORM'
| DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling
accessControl()
| DEBUG [org.apache.catalina.realm.RealmBase] Checking roles user
| DEBUG [org.apache.catalina.realm.RealmBase] No role found: admin
| DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully
passed all security constraints
| DEBUG [org.apache.catalina.core.StandardWrapper] Returning non-STM
instance
|
I don't understand what the "true" above means here and why there is a re-login
going on. I'm guessing that may be explaining some of the problems I'm seeing.
Any ideas?
Thanks,
L
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3898956#3898956
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3898956
-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
