Bug in Combining Authorization Constraints
Hi I have two elements in my deployment descriptor. One has auth-constraint *, and the other does not have any . They both have a same . By SRV.12.8.1 Combining Constraints: A security constraints that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access. Applying to the attached .war file, my interpretation of this is access to /index.jsp is accepted. However, Tomcat 5.5.12 returns status code 401 (Authorization Required). Cheers Nam -- Random humorous quote: Work is the greatest thing in the world, so save some for tomorrow. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Bug in Combining Authorization Constraints
Replying to my own post. Sorry, the attachment mysteriously disappeared. Anyway, the important part is here Index 1 /index.jsp * Index 2 /index.jsp Cheers Nam -- Random humorous quote: The only problem with mornings is that they happen too early in the day. Subject: Bug in Combining Authorization Constraints Hi I have two elements in my deployment descriptor. One has auth-constraint *, and the other does not have any . They both have a same . By SRV.12.8.1 Combining Constraints: A security constraints that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access. Applying to the attached .war file, my interpretation of this is access to /index.jsp is accepted. However, Tomcat 5.5.12 returns status code 401 (Authorization Required). Cheers Nam -- Random humorous quote: Work is the greatest thing in the world, so save some for tomorrow. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: svn commit: r348087 - /tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
This is in accordance with both Servlet and JACC specs.
JACC spec gives higher precedence to unchecked permissions than checked
permissions.
Complaints should go to both groups :D
Cheers
Nam
--
Random humorous quote: Usually I try to take it one day at a time, but
lately several have attacked me at once...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 22, 2005 1:07 PM
To: tomcat-dev@jakarta.apache.org
Subject: svn commit: r348087 -
/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authent
icator/AuthenticatorBase.java
Author: billbarker
Date: Mon Nov 21 21:06:40 2005
New Revision: 348087
URL: http://svn.apache.org/viewcvs?rev=348087&view=rev
Log:
The rule is that you authenticate if *all* security-constraints include
an auth-constraint. If you have a problem with this, take it up with
the Servlet expert-group ;-).
Reported By: Nam T. Nguyen <[EMAIL PROTECTED]>
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenti
cator/AuthenticatorBase.java
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenti
cator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewcvs/tomcat/container/tc5.5.x/catalina/src/shar
e/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=348087&r1
=348086&r2=348087&view=diff
==
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenti
cator/AuthenticatorBase.java (original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenti
cator/AuthenticatorBase.java Mon Nov 21 21:06:40 2005
@@ -468,28 +468,33 @@
*/
return;
}
-
-for(i=0; i < constraints.length; i++) {
-// Authenticate based upon the specified login
configuration
-if (constraints[i].getAuthConstraint()) {
+
+// Since authenticate modifies the response on failure,
+// we have to check for allow-from-all first.
+boolean authRequired = true;
+for(i=0; i < constraints.length && authRequired; i++) {
+if(!constraints[i].getAuthConstraint()) {
+authRequired = false;
+}
+}
+
+if(authRequired) {
+if (log.isDebugEnabled()) {
+log.debug(" Calling authenticate()");
+}
+if (!authenticate(request, response, config)) {
if (log.isDebugEnabled()) {
-log.debug(" Calling authenticate()");
+log.debug(" Failed authenticate() test");
}
-if (!authenticate(request, response, config)) {
-if (log.isDebugEnabled()) {
-log.debug(" Failed authenticate() test");
-}
-/*
- * ASSERT: Authenticator already set the
appropriate
- * HTTP status code, so we do not have to do
anything
- * special
- */
-return;
-} else {
-break;
-}
-}
+/*
+ * ASSERT: Authenticator already set the appropriate
+ * HTTP status code, so we do not have to do anything
+ * special
+ */
+return;
+}
}
+
if (log.isDebugEnabled()) {
log.debug(" Calling accessControl()");
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: svn commit: r348087 - /tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Sorry, I'm just being dump here. My comment should be for r348091
instead of this r348087.
Shamefully yours
Nam
--
Random humorous quote: Monday is an awful way to spend 1/7th of your
life.
-Original Message-
From: Nam T. Nguyen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 22, 2005 1:17 PM
To: Tomcat Developers List
Subject: RE: svn commit: r348087 -
/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authent
icator/AuthenticatorBase.java
This is in accordance with both Servlet and JACC specs.
JACC spec gives higher precedence to unchecked permissions than checked
permissions.
Complaints should go to both groups :D
Cheers
Nam
--
Random humorous quote: Usually I try to take it one day at a time, but
lately several have attacked me at once...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 22, 2005 1:07 PM
To: tomcat-dev@jakarta.apache.org
Subject: svn commit: r348087 -
/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authent
icator/AuthenticatorBase.java
Author: billbarker
Date: Mon Nov 21 21:06:40 2005
New Revision: 348087
URL: http://svn.apache.org/viewcvs?rev=348087&view=rev
Log:
The rule is that you authenticate if *all* security-constraints include
an auth-constraint. If you have a problem with this, take it up with
the Servlet expert-group ;-).
Reported By: Nam T. Nguyen <[EMAIL PROTECTED]>
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenti
cator/AuthenticatorBase.java
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenti
cator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewcvs/tomcat/container/tc5.5.x/catalina/src/shar
e/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=348087&r1
=348086&r2=348087&view=diff
==
---
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenti
cator/AuthenticatorBase.java (original)
+++
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/authenti
cator/AuthenticatorBase.java Mon Nov 21 21:06:40 2005
@@ -468,28 +468,33 @@
*/
return;
}
-
-for(i=0; i < constraints.length; i++) {
-// Authenticate based upon the specified login
configuration
-if (constraints[i].getAuthConstraint()) {
+
+// Since authenticate modifies the response on failure,
+// we have to check for allow-from-all first.
+boolean authRequired = true;
+for(i=0; i < constraints.length && authRequired; i++) {
+if(!constraints[i].getAuthConstraint()) {
+authRequired = false;
+}
+}
+
+if(authRequired) {
+if (log.isDebugEnabled()) {
+log.debug(" Calling authenticate()");
+}
+if (!authenticate(request, response, config)) {
if (log.isDebugEnabled()) {
-log.debug(" Calling authenticate()");
+log.debug(" Failed authenticate() test");
}
-if (!authenticate(request, response, config)) {
-if (log.isDebugEnabled()) {
-log.debug(" Failed authenticate() test");
-}
-/*
- * ASSERT: Authenticator already set the
appropriate
- * HTTP status code, so we do not have to do
anything
- * special
- */
-return;
-} else {
-break;
-}
-}
+/*
+ * ASSERT: Authenticator already set the appropriate
+ * HTTP status code, so we do not have to do anything
+ * special
+ */
+return;
+}
}
+
if (log.isDebugEnabled()) {
log.debug(" Calling accessControl()");
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
