Bill/Remy,
Bill Barker wrote:
> ----- Original Message -----
> From: "Remy Maucherat" <[EMAIL PROTECTED]>
> To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
> Sent: Wednesday, March 02, 2005 11:56 AM
> Subject: Re: cvs commit:
> jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm
> RealmBase.java
>
>
>
>>[EMAIL PROTECTED] wrote:
>>
>>>luehe 2005/03/02 11:27:11
>>>
>>> Modified: catalina/src/share/org/apache/catalina/realm
>
> RealmBase.java
>
>>> Log:
>>> Consider the case where original request was mapped to welcome page.
>>> In this case, the mapped welcome page (and not the original request
>>> URI!) needs to be the target of hasResourcePermission().
>>>
>>> This is consistent with the change that had been made in
>
> findSecurityConstraints().
>
>>> BTW, shouldn't request.getDecodedRequestURI() return the mapped
>>> welcome page (instead of the original URI) in this case?
>>> In other words, shouldn't the path passed to
>>> mappingData.requestPath.setString(pathStr)
>>> in Mapper.java be propagated to the request object associatd with the
>>> mappingData?
>>
>>I consider welcome files to be internal forwards (since it is allowed to
>>handle them this way). As a result, they shouldn't be matched by
>>secrurity constraints. Only the original request path should be the used
>>(so here it's getDecodedRequestURI - as sent by the client).
>>
>
>
> I agree with Remy. It's an internal Tomcat implementation detail that
> welcome-files aren't handled via DefaultServlet doing:
> RequestDispatcher rd = request.getRequestDispatcher(welcome[i]);
> rd.forward(request, response);
> Since this is explicitly allowed by the spec, nobody can expect that a
> security-constraint mapped only to the welcome-file will be applied.
> However, this is probably another thing that should be better specified in
> the 2.5 spec.
But SRV.9.10 ("Welcome Files") already has this:
The container may send the request to the welcome resource with
a forward, a redirect, or a container specific mechanism
**that is indistinguishable from a direct request**.
The latter to me implies that any sec constraints must be applied
to the mapped welcome page (if any).
Also, see the attached diffs, in particular:
- String uri = request.getDecodedRequestURI();
- String contextPath = hreq.getContextPath();
- if (contextPath.length() > 0)
- uri = uri.substring(contextPath.length());
+ String uri = request.getRequestPathMB().toString();
in findSecurityConstraints().
When accessing <host>:<port>:/somecontext/,
which has welcome page /somecontext/index.jsp,
request.getDecodedRequestURI() returns "/somecontext/",
whereas request.getRequestPathMB().toString() returns
"/index.jsp" (as set by the mapper), so there already is a precedent
in findSecurityConstraints() to match sec constraints against
welcome page, which I think makes sense.
Otherwise, the following sec constraint:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
which is supposed to protect all JSP pages, would be bypassed if a
request was mapped to index.jsp welcome page.
Jan
>
>>Rémy
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
>
> This message is intended only for the use of the person(s) listed above as
> the intended recipient(s), and may contain information that is PRIVILEGED and
> CONFIDENTIAL. If you are not an intended recipient, you may not read, copy,
> or distribute this message or any attachment. If you received this
> communication in error, please notify us immediately by e-mail and then
> delete all copies of this message and any attachments.
>
> In addition you should be aware that ordinary (unencrypted) e-mail sent
> through the Internet is not secure. Do not send confidential or sensitive
> information, such as social security numbers, account numbers, personal
> identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
>
>
>
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
Index: RealmBase.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- RealmBase.java 26 Dec 2003 17:33:44 -0000 1.23
+++ RealmBase.java 10 Jan 2004 17:23:39 -0000 1.24
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
1.23 2003/12/26 17:33:44 remm Exp $
- * $Revision: 1.23 $
- * $Date: 2003/12/26 17:33:44 $
+ * $Header:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v
1.24 2004/01/10 17:23:39 remm Exp $
+ * $Revision: 1.24 $
+ * $Date: 2004/01/10 17:23:39 $
*
* ====================================================================
*
@@ -107,7 +107,7 @@
* location) are identical to those currently supported by Tomcat 3.X.
*
* @author Craig R. McClanahan
- * @version $Revision: 1.23 $ $Date: 2003/12/26 17:33:44 $
+ * @version $Revision: 1.24 $ $Date: 2004/01/10 17:23:39 $
*/
public abstract class RealmBase
@@ -457,10 +457,7 @@
// Check each defined security constraint
HttpServletRequest hreq = (HttpServletRequest) request.getRequest();
- String uri = request.getDecodedRequestURI();
- String contextPath = hreq.getContextPath();
- if (contextPath.length() > 0)
- uri = uri.substring(contextPath.length());
+ String uri = request.getRequestPathMB().toString();
String method = hreq.getMethod();
int i;
@@ -486,10 +483,12 @@
}
}
}
- }
+ }
+ /*
if(found) {
return resultsToArray(results);
}
+ */
int longest = -1;
for (i = 0; i < constraints.length; i++) {
@@ -535,9 +534,11 @@
}
}
}
+ /*
if(found) {
return resultsToArray(results);
}
+ */
for (i = 0; i < constraints.length; i++) {
SecurityCollection [] collection =
constraints[i].findCollections();
@@ -546,6 +547,7 @@
"' against " + method + " " + uri + " --> " +
constraints[i].included(uri, method));
boolean matched = false;
+ int pos = -1;
for(int j=0; j < collection.length; j++){
String [] patterns = collection[j].findPatterns();
for(int k=0; k < patterns.length && !matched; k++) {
@@ -558,6 +560,7 @@
uri.length()-dot == pattern.length()-1) {
if(pattern.regionMatches(1,uri,dot,uri.length()-dot)) {
matched = true;
+ pos = j;
}
}
}
@@ -565,17 +568,19 @@
}
if(matched) {
found = true;
- if(collection[i].findMethod(method)) {
+ if(collection[pos].findMethod(method)) {
if(results == null) {
results = new ArrayList();
- }
+ }
results.add(constraints[i]);
}
}
}
+ /*
if(found) {
return resultsToArray(results);
}
+ */
for (i = 0; i < constraints.length; i++) {
SecurityCollection [] collection =
constraints[i].findCollections();
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
