security issue with action commands...
bs.ntsu Aug 22, 2005 5:15 AMHi.
I have a webapplication that under its context has two diffenent
maps, one is admin and the other one is user.
I use an ActionRouter and has actions like list-clients.do.
The admin map is restricted area described in web.xml.
You have to be in AdminRole to get access.
My problem is that if I log in as user, I can "shoot" actions commands
like list-clients.do from the user area and Servlet maps to the proper
jsp that is in the admin map. When I then try isUserInRole and so on
there is only a quetstionmark. If I run from admin area the isUserInRole
knows who is logged in.
PS. I put in the list-clients.do in the url like: http://myplace.com/users/list-clients.do and servlet reply with jsp from
admin area.
Anybody know why not the restricted area declared in the web.xml file
works during that condition, and how to solve this?
Im using JBoss3.2.3
Heres my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<filter-name>loginfilter</filter-name>
<filter-class>argus.web.util.LoginFilter</filter-class>
<filter-mapping>
<filter-name>loginfilter</filter-name>
<url-pattern>/admin/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>loginfilter</filter-name>
<url-pattern>/user/*</url-pattern>
</filter-mapping>
<servlet-name>action</servlet-name>
<servlet-class>argus.web.servlet.ActionServlet</servlet-class>
<servlet-name>setup</servlet-name>
<servlet-class>argus.web.servlet.SetupServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>0</session-timeout>
</session-config>
<security-constraint>
<display-name>ArgusAdmin</display-name>
<web-resource-collection>
<web-resource-name>AdminAdaptor</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ArgusAdmin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>ArgusUser</display-name>
<web-resource-collection>
<web-resource-name>UserAdaptor</web-resource-name>
<url-pattern>/user/*</url-pattern>
<url-pattern>/index.htm</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ArgusAdmin</role-name>
<role-name>ArgusUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.htm</form-login-page>
<form-error-page>/loginError.htm</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>ArgusAdmin</role-name>
</security-role>
<security-role>
<role-name>ArgusUser</role-name>
</security-role>
</web-app>
--------------------------------------------------------------------------------
Many Thanks
Bjorn