Security constraints for forward()/include() [Was: Re: [ANNOUNCEMENT] Tomcat 3.2 Beta 7]

Mon, 13 Nov 2000 15:28:16 -0800 

Hans Bergsten wrote:
> 
> [EMAIL PROTECTED] wrote:
> > [...]
> > >   6.8 Container Managed Security Constraints
> > >   Due to the way that Tomcat 3.2 is implemented, container managed security
> > >   constraints are imposed both on the original request URI *and* on subrequests
> > >   initiated to handle RequestDispatcher.forward() or RequestDispatcher.include()
> > >   calls.
> > > [...]
> > > This does *not* seem to be the case. I have an example that uses the RD to
> > > forward() to JSP pages that are protected from direct access using BASIC
> > > authentication. It works exactly as it should: forward() invokes them but
> > > a direct access prompts for username/password. You may want to look at
> >
> > If this is the case probably something changed in the implementation, and
> > we should at least find out if the danger is real and document that.
> 
> I'll try to take a look at the code today or tomorrow to see what's going
> on. But the way it works now (at least in my test case) is the way it
> should work according to 2.3, so I agree that we should leave it as it is
> and just document how it works (if it's different than 2.3 after all and
> if those differences poses a security threat).

I've looked at the code to try to figure out why it doesn't work as Costin
intended, and instead works as specified in 2.3, but I'm afraid there are
just too many interceptors involved and too little time for me to dig deeper.

Anyway, from tracing it's clear that the AccessInterceptor gets invoked
even for a forward() and it calls req.setRequiredRoles( roles ) so that
the "roles will be checked by a different interceptor". I assume this is
the SimpleRealm interceptor, but it's never invoked for a forward(). Maybe
this is because ContextManager.processRequest() (called by the RD) never 
calls the authorize() method in the interceptions, only contextMap() and 
requestMap().

An in all, I'm happy with the current behavior and I suggest that 
"6.8 Container Managed Security Constraints" is removed from the README
in the final release build. It would nice, however, if someone else can
verify this as well, since I didn't find out exactly why it works as it
should ;-)

Hans
-- 
Hans Bergsten           [EMAIL PROTECTED]
Gefion Software         http://www.gefionsoftware.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to