0 Replies Latest reply on Aug 21, 2005 3:41 PM by Bjorn

    Security issue with action commands....

    Bjorn Newbie

      Hi

      I have a webapplication that under its context has two diffenent
      maps, one is admin and the other one is user.
      I use an ActionRouter and has actions like list-clients.do.
      The admin map is restricted area described in web.xml.
      You have to be in AdminRole to get access.

      My problem is that if I log in as user, I can "shoot" actions commands
      like list-clients.do from the user area and Servlet maps to the proper
      jsp that is in the admin map. When I then try isUserInRole and so on
      there is only a quetstionmark. If I run from admin area the isUserInRole
      knows who is logged in.
      I put in the list-clients.do in the url like: http://myplace.com/users/list-clients.do and servlet reply with jsp from
      admin area.
      Anybody know why not the restricted area declared in the web.xml file
      works during that condition, and how to solve this?


      Im using JBoss3.2.3 and use SingleSignOn.

      Heres my web.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
      <web-app>

      <filter-name>loginfilter</filter-name>
      <filter-class>argus.web.util.LoginFilter</filter-class>

      <filter-mapping>
      <filter-name>loginfilter</filter-name>
      <url-pattern>/admin/*</url-pattern>
      </filter-mapping>
      <filter-mapping>
      <filter-name>loginfilter</filter-name>
      <url-pattern>/user/*</url-pattern>
      </filter-mapping>

      <servlet-name>action</servlet-name>
      <servlet-class>argus.web.servlet.ActionServlet</servlet-class>


      <servlet-name>setup</servlet-name>
      <servlet-class>argus.web.servlet.SetupServlet</servlet-class>
      <load-on-startup>1</load-on-startup>

      <servlet-mapping>
      <servlet-name>action</servlet-name>
      <url-pattern>*.do</url-pattern>
      </servlet-mapping>
      <session-config>
      <session-timeout>0</session-timeout>
      </session-config>
      <security-constraint>
      <display-name>ArgusAdmin</display-name>
      <web-resource-collection>
      <web-resource-name>AdminAdaptor</web-resource-name>
      <url-pattern>/admin/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>ArgusAdmin</role-name>
      </auth-constraint>
      </security-constraint>
      <security-constraint>
      <display-name>ArgusUser</display-name>
      <web-resource-collection>
      <web-resource-name>UserAdaptor</web-resource-name>
      <url-pattern>/user/*</url-pattern>
      <url-pattern>/index.htm</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>ArgusAdmin</role-name>
      <role-name>ArgusUser</role-name>
      </auth-constraint>
      </security-constraint>
      <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
      <form-login-page>/login.htm</form-login-page>
      <form-error-page>/loginError.htm</form-error-page>
      </form-login-config>
      </login-config>
      <security-role>
      <role-name>ArgusAdmin</role-name>
      </security-role>
      <security-role>
      <role-name>ArgusUser</role-name>
      </security-role>
      </web-app>

      Many Thanks
      Bjorn