2 messages in org.apache.tomcat.usersRe: Is TC role mapping spec conform?| From | Sent On | Attachments |
|---|---|---|
| Thomas Paradies | Dec 18, 2002 11:40 pm | |
| Craig R. McClanahan | Dec 19, 2002 9:41 am |
| Subject: | Re: Is TC role mapping spec conform? | |
|---|---|---|
| From: | Craig R. McClanahan (crai...@apache.org) | |
| Date: | Dec 19, 2002 9:41:35 am | |
| List: | org.apache.tomcat.users | |
See intermixed.
On Thu, 19 Dec 2002, Thomas Paradies wrote:
Date: Thu, 19 Dec 2002 08:40:52 +0100 From: Thomas Paradies <para...@transit-online.de> Reply-To: Tomcat Users List <tomc...@jakarta.apache.org> To: tomc...@jakarta.apache.org Subject: Is TC role mapping spec conform?
Hi,
I'm a little bit confused about the use of the security-role tag - generally and especially in Tomcat. The WebApp DTD refers for auth-constraint to this element commented as follows:
"... The role-name used here must either correspond to the role-name of one of the security-role elements defined for this web application, or be the specially reserved role-name "*" that is a compact syntax for indicating all roles in the web application. ... If no roles are defined, no user is allowed access to the portion of the web application described by the containing security-constraint..."
My observations with TC 4.1.16: The role-name in auth-constraint isn't verified against an corresponding security-role definition. (test: replace * by role tomcat, do not define a corresponding security-role) According to spec this is a MUST.
You're correct ... it's a bug in Tomcat that this restriction is not enforced. In 4.1 you get a warning in your log files, but enforcing it now would cause lots of existing apps to break.
IMO this means that "*" is limited for indicating all roles in THE WEB APPLICATION and should not not do this for roles in other web applications even if they share the same realm.
Sharing a Realm is a Tomcat feature not covered in the spec, so there is no rule defining what correct the behavior is. Tomcat interprets "*" as meaning "any authenticated user", which is not quite the same thing as the spec language either.
I suggest submitting a bug report to report this:
http://nagoya.apache.org/bugzilla/
Craig
I understand the last sentence of the spec abstract above as a MUST. And "no roles are defined" relates in my eyes to "the web application".
Tested with:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd";> <web-app> <servlet> <servlet-name>RoleRef</servlet-name> <jsp-file>/test.jsp</jsp-file> </servlet> <servlet-mapping> <servlet-name> RoleRef </servlet-name> <url-pattern> /test </url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>WebCollection</web-resource-name> <url-pattern>/test</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>default</realm-name> </login-config> <!-- uncommenting security-role causes nothing --> <security-role> <role-name>specialrole</role-name> </security-role> </web-app>
Only specialRole should have the permission to access the resource test.jsp, if uncommented no user should have this permission - but in Tomcat any role (e.g. tomcat, from global context) has in both cases the permission ...
IMO this couldn't be the specified behaviour? Comments are welcome.
Regards,
Thomas