3 Replies Latest reply on Mar 13, 2006 12:00 AM by Scott Stark

    Interpretation of rolename with

    Anil Saldanha Master

      Starting Tomcat 5.5.15, there has been a fix made to be in line with the servlet specification.

      http://tomcat.apache.org/tomcat-5.5-doc/changelog.html

      http://issues.apache.org/bugzilla/show_bug.cgi?id=37852

      http://issues.apache.org/bugzilla/show_bug.cgi?id=37934

      The current Tomcat behavior is that the interpretation of

      <role-name>*</role-name>

      is to be access to only the roles defined in the web.xml

      But this differs from the general behavior in other J2EE specs. Plus the interpretation in the JBoss Jacc layer is to allow access to any authenticated user.

      Here is what Scott had to say:
      We should support access by any authenticated user in both. I don't care
      to restrict access to just the web.xml declared roles. This is the
      current tomcat behavior. How this can be supported in the jacc layer is
      the issue.
      


      There is a JIRA issue for the JBoss Jacc layer related to this:
      http://jira.jboss.com/jira/browse/JBAS-1824

      There are two tests failing in the 4.0 testsuite that capture this anomaly:
      http://tinyurl.com/euqcm

      What should be done?

        • 1. Re: Interpretation of rolename with
          Scott Stark Master

          This does not differ from the j2ee behavior, its the strict interpretation of it. The problem with this behavior in the past is that you could not say, "only allow access to authenticated users".

          I still don't see how 2.4/2.5mr servlet spec allow for this:


          SRV.12.7.1 Combining Constraints
          When a url-pattern and http-method pair occurs in multiple security constraints, the constraints (on the pattern and method) are defined by combining the individual constraints. The rules for combining constraints in which the same pattern and method occur are as follows:
          The combination of authorization constraints that name roles or that imply
          roles via the name ?*? shall yield the union of the role names in the individual constraints as permitted roles. A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access. The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded.

          The combination of user-data-constraints that apply to a common urlpattern and http-method shall yield the union of connection types accepted by the individual constraints as acceptable connection types. A security constraint that does not contain a user-data-constraint shall combine with other userdata-constraint to cause the unprotected connection type to be an accepted connection type.


          I view this as a problem with the spec. I brought this up in the jacc eg. I guess it needs to be brought up in the servlet spec to get it clarified. In the meantime the question is how we allow for authentication only access in jboss.


          • 2. Re: Interpretation of rolename with
            Anil Saldanha Master

             

            "scott.stark@jboss.org" wrote:
            This does not differ from the j2ee behavior, its the strict interpretation of it. The problem with this behavior in the past is that you could not say, "only allow access to authenticated users".


            The strictness is certainly a diff in behavior with other j2ee specs.

            For the 4.0.4GA, what should we do is the question?

            Was there any clarification from the JACC Exec on this?

            • 3. Re: Interpretation of rolename with
              Scott Stark Master

              No clarification. The only way to restore the authentication only behavior is to override the RealmBase.hasResourcePermission to recheck for an all roles specification with no roles specified in addition to some jboss-web.xml setting.

              http://jira.jboss.com/jira/browse/JBAS-2926