Bug 37852 - Security constraint where role name defined as any ("*") deny access at all
Security constraint where role name defined as any ("*") deny access at all
Status: RESOLVED FIXED
Product: Tomcat 5
Classification: Unclassified
Component: Catalina
5.5.14
Other other
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2005-12-09 14:32 UTC by casper
Modified: 2006-08-10 12:22 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description casper 2005-12-09 14:32:09 UTC
Class org.apache.catalina.realm.RealmBase, lines from 735:
            
            if (constraint.getAllRoles() && !denyfromall)
                status = true;

            if (log.isDebugEnabled())
                log.debug("  Checking roles " + principal);

            if (roles.length == 0) {
                if(constraint.getAuthConstraint()) {
                    if( log.isDebugEnabled() )
                        log.debug("No roles ");
                    status = false; // No listed roles means no access at all
                    denyfromall = true;
                } else {
                    if(log.isDebugEnabled())
                        log.debug("Passing all access");
                    return (true);
                }
            } else if (principal == null) {
                if (log.isDebugEnabled())
                    log.debug("  No user authenticated, cannot grant access");
                status = false;
            } else if(!denyfromall) {

                for (int j = 0; j < roles.length; j++) {
                    if (hasRole(principal, roles[j]))
                        status = true;
                    if( log.isDebugEnabled() )
                        log.debug( "No role found:  " + roles[j]);
                }
            }

must be

            if (constraint.getAllRoles() && !denyfromall)
                status = true;

            else {

            if (log.isDebugEnabled())
                log.debug("  Checking roles " + principal);

            if (roles.length == 0) {
                if(constraint.getAuthConstraint()) {
                    if( log.isDebugEnabled() )
                        log.debug("No roles ");
                    status = false; // No listed roles means no access at all
                    denyfromall = true;
                } else {
                    if(log.isDebugEnabled())
                        log.debug("Passing all access");
                    return (true);
                }
            } else if (principal == null) {
                if (log.isDebugEnabled())
                    log.debug("  No user authenticated, cannot grant access");
                status = false;
            } else if(!denyfromall) {

                for (int j = 0; j < roles.length; j++) {
                    if (hasRole(principal, roles[j]))
                        status = true;
                    if( log.isDebugEnabled() )
                        log.debug( "No role found:  " + roles[j]);
                }
            }
            }
Comment 1 xrcat 2005-12-09 15:20:04 UTC
(In reply to comment #0)

It's better to test for AllRoles into top-level 'if'. (do not skip checks for 
null principal)

Should be:

Class org.apache.catalina.realm.RealmBase, lines from 735:

if (constraint.getAllRoles() && !denyfromall)
  status = true;
if (log.isDebugEnabled())
  log.debug("  Checking roles " + principal);
if (roles.length == 0 && !constraint.getAllRoles()) {
Comment 2 william.barker 2005-12-10 03:55:18 UTC
The second patch has been applied to the SVN trunk, and will appear in 5.5.15.

Thanks much!
Comment 3 Thomas Trepl 2006-03-23 14:59:34 UTC
(In reply to comment #2)
> The second patch has been applied to the SVN trunk, and will appear in 5.5.15.

Hmm, I've installed 5.5.15 on a SLES9 with Sun JDK 1.5.0_06-b05, but i still
have the problem described in the headline. I'm no Tomcat hacker (for now;-) so
I cannot provide a patch here. I cannot find the "second" patch applied in the
sources or do i miss something?
Comment 4 Ralf Hauser 2006-08-08 15:05:04 UTC
with v 5.5.17, I cannot get a configuration like the one described in Bug 39364
to work either (it worked nicely with ~5.5.4)



see also Bug 37044
Comment 5 Mark Thomas 2006-08-08 23:05:15 UTC
This issue has been fixed in SVN as per Bill's comment above.

There appears to be some confusion between this issue and the fix for bug 15570
which corrected the way the special * role was handled. Questions regarding this
should be directed to the users list.
Comment 6 jemiller 2006-08-10 17:38:36 UTC
It doesn't look fixed to me. I'm getting 403 errors with Tomcat 5.5.17 in an 
app that works just fine with Tomcat 5.5.9.
Comment 7 Filip Hanik 2006-08-10 19:22:28 UTC
it cause of this change
http://issues.apache.org/bugzilla/show_bug.cgi?id=15570
if you use *, you still need to define all the roles in web.xml,
* refers to the roles in web.xml, not the ones specified in the security realm