2 Replies Latest reply on Dec 5, 2001 4:36 AM by ko5tik

Bug in Jbos 2.4.0 /Tomcat 3.2.1 integration ( Major one!!!!

ko5tik Dec 4, 2001 10:29 AM

Hi all,
just discorvered major bug in security integration of jboss - <jsp:include> is bad for security.

Short explanation:
I have ejb method which needs caller principal

( ctx.getCallerPrincipal() )

When I call bean from very start of jsp page,
it gets correct principal.
<%= SecurityAssociation.getPrincipal().toString() %>
embedded into jsp also gives correct output.

But after I issue <jsp:include> - principal in
security association is reset to 0

( and JbossSecurityMgrRealm does this on puprose,
I checked it )

I think this comes from infamous jsp which serves
includes as subrequests, thus fooling jboss
into assumption that this request is done
and he can reset any securoty association.

I know that JSP suks, and will replace it in my project ASAP, but I what do I do meanwhile?

Any suggestions?

1. Re: Bug in Jbos 2.4.0 /Tomcat 3.2.1 integration ( Major one!

starksm64 Dec 4, 2001 8:07 PM (in response to ko5tik)

Try a latter bundle that fixes this issue. Both the JBoss-2.4.3/Tomcat-3.2.3 and JBoss-2.4.4/Tomcat-3.2.4 have this issue fixed.
Actions
2. This does not help....

ko5tik Dec 5, 2001 4:36 AM (in response to ko5tik)

I posted bug report in source forge.

IT seems that JSP suks, and does includes via
subrequests...
Actions

Go to original post