https://bz.apache.org/bugzilla/show_bug.cgi?id=57715
Bug ID: 57715 Summary: Finding security constraints can fail when HTTP methods are specified Product: Tomcat 9 Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: marklundb...@gmail.com Created attachment 32576 --> https://bz.apache.org/bugzilla/attachment.cgi?id=32576&action=edit Unit test to demonstrate the problem and a fix to the RealmBase Finding security constraints can fail when HTTP methods are specified. When HTTP methods are defined in the security constraints, the RealmBase.findSecurityConstraints() method can terminate early without adding a constraint to the results. A simple case that demonstrates this problem is to define security constraints such that the entire web site requires authentication. Then add one additional constraint that allows the GET HTTP method for a specific URL to bypass authentication: <!-- Restricted URLs that require authentication --> <security-constraint> <display-name>Authenticated Access</display-name> <web-resource-collection> <web-resource-name>Restricted Access</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <!-- <auth-constraint> with the * role enforces authentication but not authorization --> <role-name>*</role-name> </auth-constraint> </security-constraint> <!-- URLs that do not require authentication --> <security-constraint> <display-name>Unauthenticated Public Access</display-name> <web-resource-collection> <!-- Public SOAP wsdl resources --> <web-resource-name>PublicSOAPWsdlURLs</web-resource-name> <url-pattern>/services/*</url-pattern> <!-- SOAP wsdl requests use GET and are public. POST requests to these URLs require authentication --> <http-method>GET</http-method> </web-resource-collection> <!-- No <auth-constraint> because these resources do not require authentication --> </security-constraint> If an HTTP POST request is sent to the /service/foo uri, the findSecurityConstraints() method matches the ‘/service/*’ URL and flags the search status as having found a match. However, when the HTTP method is examined it is found not to match and the security constraint is not added to the results. Even though the HTTP method didn’t match, the search was still flagged as finding a match and the search is terminated, returning zero constraints. This allows the POST request to proceed without authentication. A patch is attached that includes a unit test to demonstrate the problem and a fix to the RealmBase. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org