3 Replies Latest reply on Mar 13, 2006 12:00 AM by starksm64

Interpretation of rolename with

anil.saldhana Mar 10, 2006 12:27 PM

Starting Tomcat 5.5.15, there has been a fix made to be in line with the servlet specification.

http://tomcat.apache.org/tomcat-5.5-doc/changelog.html

http://issues.apache.org/bugzilla/show_bug.cgi?id=37852

http://issues.apache.org/bugzilla/show_bug.cgi?id=37934

The current Tomcat behavior is that the interpretation of

<role-name>*</role-name>

is to be access to only the roles defined in the web.xml

But this differs from the general behavior in other J2EE specs. Plus the interpretation in the JBoss Jacc layer is to allow access to any authenticated user.

Here is what Scott had to say:

We should support access by any authenticated user in both. I don't care
to restrict access to just the web.xml declared roles. This is the
current tomcat behavior. How this can be supported in the jacc layer is
the issue.

There is a JIRA issue for the JBoss Jacc layer related to this:
http://jira.jboss.com/jira/browse/JBAS-1824

There are two tests failing in the 4.0 testsuite that capture this anomaly:
http://tinyurl.com/euqcm

What should be done?

1. Re: Interpretation of rolename with

starksm64 Mar 10, 2006 1:05 PM (in response to anil.saldhana)

This does not differ from the j2ee behavior, its the strict interpretation of it. The problem with this behavior in the past is that you could not say, "only allow access to authenticated users".

I still don't see how 2.4/2.5mr servlet spec allow for this:

SRV.12.7.1 Combining Constraints
When a url-pattern and http-method pair occurs in multiple security constraints, the constraints (on the pattern and method) are defined by combining the individual constraints. The rules for combining constraints in which the same pattern and method occur are as follows:
The combination of authorization constraints that name roles or that imply
roles via the name ?*? shall yield the union of the role names in the individual constraints as permitted roles. A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access. The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded.

The combination of user-data-constraints that apply to a common urlpattern and http-method shall yield the union of connection types accepted by the individual constraints as acceptable connection types. A security constraint that does not contain a user-data-constraint shall combine with other userdata-constraint to cause the unprotected connection type to be an accepted connection type.

I view this as a problem with the spec. I brought this up in the jacc eg. I guess it needs to be brought up in the servlet spec to get it clarified. In the meantime the question is how we allow for authentication only access in jboss.
Actions
2. Re: Interpretation of rolename with

anil.saldhana Mar 10, 2006 2:02 PM (in response to anil.saldhana)

"scott.stark@jboss.org" wrote:
This does not differ from the j2ee behavior, its the strict interpretation of it. The problem with this behavior in the past is that you could not say, "only allow access to authenticated users".

The strictness is certainly a diff in behavior with other j2ee specs.

For the 4.0.4GA, what should we do is the question?

Was there any clarification from the JACC Exec on this?
Actions
3. Re: Interpretation of rolename with

starksm64 Mar 13, 2006 12:00 AM (in response to anil.saldhana)

No clarification. The only way to restore the authentication only behavior is to override the RealmBase.hasResourcePermission to recheck for an all roles specification with no roles specified in addition to some jboss-web.xml setting.

http://jira.jboss.com/jira/browse/JBAS-2926
Actions

Go to original post