https://bz.apache.org/bugzilla/show_bug.cgi?id=57715
Bug ID: 57715
Summary: Finding security constraints can fail when HTTP
methods are specified
Product: Tomcat 9
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: marklundb...@gmail.com
Created attachment 32576
--> https://bz.apache.org/bugzilla/attachment.cgi?id=32576&action=edit
Unit test to demonstrate the problem and a fix to the RealmBase
Finding security constraints can fail when HTTP methods are specified. When
HTTP methods are defined in the security constraints, the
RealmBase.findSecurityConstraints() method can terminate early without adding a
constraint to the results.
A simple case that demonstrates this problem is to define security constraints
such that the entire web site requires authentication. Then add one additional
constraint that allows the GET HTTP method for a specific URL to bypass
authentication:
<!-- Restricted URLs that require authentication -->
<security-constraint>
<display-name>Authenticated Access</display-name>
<web-resource-collection>
<web-resource-name>Restricted Access</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- <auth-constraint> with the * role enforces authentication but
not authorization -->
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!-- URLs that do not require authentication -->
<security-constraint>
<display-name>Unauthenticated Public Access</display-name>
<web-resource-collection>
<!-- Public SOAP wsdl resources -->
<web-resource-name>PublicSOAPWsdlURLs</web-resource-name>
<url-pattern>/services/*</url-pattern>
<!-- SOAP wsdl requests use GET and are public. POST requests to
these URLs require authentication -->
<http-method>GET</http-method>
</web-resource-collection>
<!-- No <auth-constraint> because these resources do not require
authentication -->
</security-constraint>
If an HTTP POST request is sent to the /service/foo uri, the
findSecurityConstraints() method matches the ‘/service/*’ URL and flags the
search status as having found a match. However, when the HTTP method is
examined it is found not to match and the security constraint is not added to
the results. Even though the HTTP method didn’t match, the search was still
flagged as finding a match and the search is terminated, returning zero
constraints. This allows the POST request to proceed without authentication.
A patch is attached that includes a unit test to demonstrate the problem and a
fix to the RealmBase.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
