2 Replies Latest reply on Oct 4, 2005 2:42 PM by lduperval

    Certain servlets accessible despite security constraints

    lduperval

      Hi,

      I have a Struts application which is not being protected as I expected. What happens is that my Struts actions can be accessed directly, no matter what my role is, as long as I am logged in. For example, I have a JSP menu that does the following:

      if (userRole == 'admin') {
      [Show URL to delete elements from database]
      } else {
      [Show URL to display information only]
      }

      When I log in as an admin, I se the [Delete] link and when I log in as a user I see the [Display] link only.

      However, when I type the URL to delete a database element in the URL bar, elements are deleted even if I am not an admin. So, I can enter:

      http://localhost/webContext/DeleteAction?uniqueId=foo

      and element 'foo' will be deleted from the database. I expected a "Permission denied" exception.

      Here are the relevant portions of my configuration:

      Web.xml:

      <security-constraint>
       <web-resource-collection>
       <web-resource-name>secure-web-component-names</web-resource-name>
       <url-pattern>/PlanTypeComponentSelectAction.do</url-pattern>
       <url-pattern>/PlanTypeComponentCreateAction.do</url-pattern>
       <url-pattern>/PlanTypeComponentRetrieveAction.do</url-pattern>
       <url-pattern>/PlanTypeComponentUpdateAction.do</url-pattern>
       <url-pattern>/PlanTypeComponentDeleteAction.do</url-pattern>
       </web-resource-collection>
       <auth-constraint>
       <role-name>admin</role-name>
       </auth-constraint>
      </security-constraint>
      


      login-config.xml:

      <application-policy name = "tme_security_realm">
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag = "required">
       <module-option name = "dsJndiName">java:/DefaultDS</module-option>
       <module-option name = "principalsQuery">SELECT SEC_USER_PASSWORD FROM sec_user WHERE SEC_USER_USERID=?</module-option>
       <module-option name = "rolesQuery">
       SELECT sec_role_Name,'Roles' FROM sec_Role, sec_user, sec_userrole
       WHERE sec_user_USERID=?
       and sec_role.sec_role_uuid=sec_userrole_role_uuid
       and sec_user.sec_user_uuid=sec_userrole_role_uuid
       </module-option>
       </login-module>
       <login-module code="org.jboss.security.ClientLoginModule" flag="required" />
       </authentication>
      </application-policy>
      
      


      tomcat's server.xml:

      <Valve className="org.apache.catalina.authenticator.SingleSignOn"
       debug="0"/>
      


      and debugging output:

      DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /webContext/PlanTypeComponentDeleteAction.do
      DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Standard-Struts-Administrative-Actions]' against GET /PlanTypeComponentDeleteAction.do --> false
      DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[AlturaForceContainerLogin]' against GET /PlanTypeComponentDeleteAction.do --> false
      DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure-Main-Menu]' against GET /PlanTypeComponentDeleteAction.do --> false
      DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> true
      DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false
      DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false
      DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false
      DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false
      DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false
      DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false
      DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false
      DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
      DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
      DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
      DEBUG [org.apache.catalina.authenticator.FormAuthenticator] SSO Id E110D62A46E07BE6CD6E0D69E491A975 set; attempting reauthentication
      DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Reauthenticated cached principal 'user' with auth type 'FORM'
      DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
      DEBUG [org.apache.catalina.realm.RealmBase] Checking roles user
      DEBUG [org.apache.catalina.realm.RealmBase] No role found: admin
      DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
      DEBUG [org.apache.catalina.core.StandardWrapper] Returning non-STM instance
      


      I don't understand what the "true" above means here and why there is a re-login going on. I'm guessing that may be explaining some of the problems I'm seeing.

      Any ideas?

      Thanks,


      L