Bill/Remy, Bill Barker wrote: > ----- Original Message ----- > From: "Remy Maucherat" <[EMAIL PROTECTED]> > To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org> > Sent: Wednesday, March 02, 2005 11:56 AM > Subject: Re: cvs commit: > jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm > RealmBase.java > > > >>[EMAIL PROTECTED] wrote: >> >>>luehe 2005/03/02 11:27:11 >>> >>> Modified: catalina/src/share/org/apache/catalina/realm > > RealmBase.java > >>> Log: >>> Consider the case where original request was mapped to welcome page. >>> In this case, the mapped welcome page (and not the original request >>> URI!) needs to be the target of hasResourcePermission(). >>> >>> This is consistent with the change that had been made in > > findSecurityConstraints(). > >>> BTW, shouldn't request.getDecodedRequestURI() return the mapped >>> welcome page (instead of the original URI) in this case? >>> In other words, shouldn't the path passed to >>> mappingData.requestPath.setString(pathStr) >>> in Mapper.java be propagated to the request object associatd with the >>> mappingData? >> >>I consider welcome files to be internal forwards (since it is allowed to >>handle them this way). As a result, they shouldn't be matched by >>secrurity constraints. Only the original request path should be the used >>(so here it's getDecodedRequestURI - as sent by the client). >> > > > I agree with Remy. It's an internal Tomcat implementation detail that > welcome-files aren't handled via DefaultServlet doing: > RequestDispatcher rd = request.getRequestDispatcher(welcome[i]); > rd.forward(request, response); > Since this is explicitly allowed by the spec, nobody can expect that a > security-constraint mapped only to the welcome-file will be applied. > However, this is probably another thing that should be better specified in > the 2.5 spec.
But SRV.9.10 ("Welcome Files") already has this: The container may send the request to the welcome resource with a forward, a redirect, or a container specific mechanism **that is indistinguishable from a direct request**. The latter to me implies that any sec constraints must be applied to the mapped welcome page (if any). Also, see the attached diffs, in particular: - String uri = request.getDecodedRequestURI(); - String contextPath = hreq.getContextPath(); - if (contextPath.length() > 0) - uri = uri.substring(contextPath.length()); + String uri = request.getRequestPathMB().toString(); in findSecurityConstraints(). When accessing <host>:<port>:/somecontext/, which has welcome page /somecontext/index.jsp, request.getDecodedRequestURI() returns "/somecontext/", whereas request.getRequestPathMB().toString() returns "/index.jsp" (as set by the mapper), so there already is a precedent in findSecurityConstraints() to match sec constraints against welcome page, which I think makes sense. Otherwise, the following sec constraint: <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>*.jsp</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>tomcat</role-name> </auth-constraint> </security-constraint> which is supposed to protect all JSP pages, would be bypassed if a request was mapped to index.jsp welcome page. Jan > >>Rémy >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > This message is intended only for the use of the person(s) listed above as > the intended recipient(s), and may contain information that is PRIVILEGED and > CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, > or distribute this message or any attachment. If you received this > communication in error, please notify us immediately by e-mail and then > delete all copies of this message and any attachments. > > In addition you should be aware that ordinary (unencrypted) e-mail sent > through the Internet is not secure. Do not send confidential or sensitive > information, such as social security numbers, account numbers, personal > identification numbers and passwords, to us via ordinary (unencrypted) e-mail. > > > > > ------------------------------------------------------------------------ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED]
Index: RealmBase.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v retrieving revision 1.23 retrieving revision 1.24 diff -u -r1.23 -r1.24 --- RealmBase.java 26 Dec 2003 17:33:44 -0000 1.23 +++ RealmBase.java 10 Jan 2004 17:23:39 -0000 1.24 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v 1.23 2003/12/26 17:33:44 remm Exp $ - * $Revision: 1.23 $ - * $Date: 2003/12/26 17:33:44 $ + * $Header: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/realm/RealmBase.java,v 1.24 2004/01/10 17:23:39 remm Exp $ + * $Revision: 1.24 $ + * $Date: 2004/01/10 17:23:39 $ * * ==================================================================== * @@ -107,7 +107,7 @@ * location) are identical to those currently supported by Tomcat 3.X. * * @author Craig R. McClanahan - * @version $Revision: 1.23 $ $Date: 2003/12/26 17:33:44 $ + * @version $Revision: 1.24 $ $Date: 2004/01/10 17:23:39 $ */ public abstract class RealmBase @@ -457,10 +457,7 @@ // Check each defined security constraint HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); - String uri = request.getDecodedRequestURI(); - String contextPath = hreq.getContextPath(); - if (contextPath.length() > 0) - uri = uri.substring(contextPath.length()); + String uri = request.getRequestPathMB().toString(); String method = hreq.getMethod(); int i; @@ -486,10 +483,12 @@ } } } - } + } + /* if(found) { return resultsToArray(results); } + */ int longest = -1; for (i = 0; i < constraints.length; i++) { @@ -535,9 +534,11 @@ } } } + /* if(found) { return resultsToArray(results); } + */ for (i = 0; i < constraints.length; i++) { SecurityCollection [] collection = constraints[i].findCollections(); @@ -546,6 +547,7 @@ "' against " + method + " " + uri + " --> " + constraints[i].included(uri, method)); boolean matched = false; + int pos = -1; for(int j=0; j < collection.length; j++){ String [] patterns = collection[j].findPatterns(); for(int k=0; k < patterns.length && !matched; k++) { @@ -558,6 +560,7 @@ uri.length()-dot == pattern.length()-1) { if(pattern.regionMatches(1,uri,dot,uri.length()-dot)) { matched = true; + pos = j; } } } @@ -565,17 +568,19 @@ } if(matched) { found = true; - if(collection[i].findMethod(method)) { + if(collection[pos].findMethod(method)) { if(results == null) { results = new ArrayList(); - } + } results.add(constraints[i]); } } } + /* if(found) { return resultsToArray(results); } + */ for (i = 0; i < constraints.length; i++) { SecurityCollection [] collection = constraints[i].findCollections();
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]