Bug report #295 has just been filed. You can view the report at the following URL: <http://znutar.cortexity.com:8888/BugRatViewer/ShowReport/295> REPORT #295 Details. Project: Tomcat Category: Bug Report SubCategory: New Bug Report Class: swbug State: received Priority: high Severity: critical Confidence: public Environment: Release: V3.1 JVM Release: 1.3.0 Operating System: Solaris OS Release: 8 Platform: SPARC Synopsis: Very serious BASIC authentication failure mode Description: Hi folks, (Sorry, I can't check if this has already been reported as your bug mechanism is dead today.) Creating a simple conf/tomcat-users.xml file: <tomcat-users> <user name="admin1" password="fred" roles="admin" /> <user name="guest" password="friend" roles="guest" /> </tomcat-users> I declared a couple of areas of my site to be protected in my web.xml: <!-- At the moment, in Tomcat, we only have BASIC authentication. --> <security-constraint> <!-- We protect the /static/protected/* and /d/protected/* areas. --> <web-resource-collection> <web-resource-name>Admin Web Area</web-resource-name> <url-pattern>/static/protected/*</url-pattern> <url-pattern>/d/protected/*</url-pattern> <!-- Don't list http-method values, as we want all methods protected. --> </web-resource-collection> <!-- A user must have an admin role to get into these areas. --> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <!-- Use BASIC authentication as it's all that Tomcat supports for now. --> <login-config> <auth-method>BASIC</auth-method> <realm-name>Admin Realm</realm-name> </login-config> </security-constraint> Note that this app is mapped to / in server.xml When I visited one of the protected areas and logged in as guest rather than admin1, Tomcat started showing all the contents of the site without protection and usual handling and some interesting URL remapping. For example, http://mysite:8080/static/protected/some/path.jsp would show me the plaintext file at /some/path.jsp in my app as a plaintext file. Worse, http://mysite:8080/static/protected/static/protected/some/path.jsp would show me the /static/protected/some/path.jsp file as a file, thus *lowering* the system protection. There were complaints (not to hand, sorry) in either tomcat.log or servlet.log about Error/loop in a handler. I hope that I just did something silly and that this is not a real bug. Bv< [EMAIL PROTECTED] http://d.hd.org/Title: BugRat Report # 295
BugRat Report # 295
Project: Tomcat | Release: V3.1 |
Category: Bug Report | SubCategory: New Bug Report |
Class: swbug | State: received |
Priority: high | Severity: critical |
Confidence:
public
|
Submitter:
_Anonymous ( [EMAIL PROTECTED] )
Date Submitted:
Oct 22 2000, 09:39:25 CDT
Responsible:
Z_Tomcat Alias ( [EMAIL PROTECTED] )
- Synopsis:
- Very serious BASIC authentication failure mode
- Environment: (jvm, os, osrel, platform)
- 1.3.0, Solaris, 8, SPARC
- Additional Environment Description:
- Report Description:
-
Hi folks,
(Sorry, I can't check if this has already been reported as your bug mechanism is dead today.)
Creating a simple conf/tomcat-users.xml file:
Admin Web Area /static/protected/* /d/protected/* admin BASIC Admin Realm
- Workaround:
- null
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]