Certain servlets accessible despite security constraints
lduperval Oct 4, 2005 10:21 AMHi,
I have a Struts application which is not being protected as I expected. What happens is that my Struts actions can be accessed directly, no matter what my role is, as long as I am logged in. For example, I have a JSP menu that does the following:
if (userRole == 'admin') {
[Show URL to delete elements from database]
} else {
[Show URL to display information only]
}
When I log in as an admin, I se the [Delete] link and when I log in as a user I see the [Display] link only.
However, when I type the URL to delete a database element in the URL bar, elements are deleted even if I am not an admin. So, I can enter:
http://localhost/webContext/DeleteAction?uniqueId=foo
and element 'foo' will be deleted from the database. I expected a "Permission denied" exception.
Here are the relevant portions of my configuration:
Web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>secure-web-component-names</web-resource-name> <url-pattern>/PlanTypeComponentSelectAction.do</url-pattern> <url-pattern>/PlanTypeComponentCreateAction.do</url-pattern> <url-pattern>/PlanTypeComponentRetrieveAction.do</url-pattern> <url-pattern>/PlanTypeComponentUpdateAction.do</url-pattern> <url-pattern>/PlanTypeComponentDeleteAction.do</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
login-config.xml:
<application-policy name = "tme_security_realm"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "dsJndiName">java:/DefaultDS</module-option> <module-option name = "principalsQuery">SELECT SEC_USER_PASSWORD FROM sec_user WHERE SEC_USER_USERID=?</module-option> <module-option name = "rolesQuery"> SELECT sec_role_Name,'Roles' FROM sec_Role, sec_user, sec_userrole WHERE sec_user_USERID=? and sec_role.sec_role_uuid=sec_userrole_role_uuid and sec_user.sec_user_uuid=sec_userrole_role_uuid </module-option> </login-module> <login-module code="org.jboss.security.ClientLoginModule" flag="required" /> </authentication> </application-policy>
tomcat's server.xml:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" debug="0"/>
and debugging output:
DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /webContext/PlanTypeComponentDeleteAction.do DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Standard-Struts-Administrative-Actions]' against GET /PlanTypeComponentDeleteAction.do --> false DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[AlturaForceContainerLogin]' against GET /PlanTypeComponentDeleteAction.do --> false DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[Secure-Main-Menu]' against GET /PlanTypeComponentDeleteAction.do --> false DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> true DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[secure-web-component-names]' against GET /PlanTypeComponentDeleteAction.do --> false DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission() DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate() DEBUG [org.apache.catalina.authenticator.FormAuthenticator] SSO Id E110D62A46E07BE6CD6E0D69E491A975 set; attempting reauthentication DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Reauthenticated cached principal 'user' with auth type 'FORM' DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl() DEBUG [org.apache.catalina.realm.RealmBase] Checking roles user DEBUG [org.apache.catalina.realm.RealmBase] No role found: admin DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints DEBUG [org.apache.catalina.core.StandardWrapper] Returning non-STM instance
I don't understand what the "true" above means here and why there is a re-login going on. I'm guessing that may be explaining some of the problems I'm seeing.
Any ideas?
Thanks,
L