First, thank you for implementing security in JK. I know it was possible to secure it before in Apache, but in IIS, JK is run before the NTFS-Rights apply. So this is a long awaited feature. But seeing that this mainly applies to non-apache environments, it is bad that the user check done case sensitive.In IIS, especially when working with domain Users, User may com in UCase/LCase Domain\User in any combination. Even Cast differences in the Username (i.e. First letter capital or not) occour. Windows does not care, but JK does. So one can auth against IIS, but still be blocked from JK, even with the right user. In the moment we workaround this with trying to put any combination in the properties-file. But this is a hopeless fight. I understand that you might not be able to simply LCase the username because that would lose some compatibility to the unix side. But maybe you can introduce a parameter like "worker.jk-manage.casesensitive=True|False" ?
Hi, good to hear, that the feature basically works :) I'm sure you noticed, that this only secures the status worker? So we could only discuss securing access to the status worker in an appropriate way. I would like to consider, if we could make the string comparison case insensitive dependent on the platform. So we could use case-insensitivity on the Windows platform, and sesitivity on the other ones. I'm not sure about Netware, but we could ask Günter Knauf about the habits there. We usually use #ifdef WIN32 to destinguish the Windows platform. Actually I don't know, if this is still correct in times of 64 Bit Windows, but since Mladen actually does Windows 64 Bit builds since quote some time, I assume, that this is still correct. So I would propose a patch as follows: Index: jk_status.c =================================================================== --- jk_status.c (revision 494133) +++ jk_status.c (working copy) @@ -2846,7 +2846,11 @@ unsigned int i; denied = 1; for (i = 0; i < w->num_of_users; i++) { +#if defined(WIN32) + if (!strcasecmp(s->remote_user, w->user_names[i])) { +#else if (!strcmp(s->remote_user, w->user_names[i])) { +#endif denied = 0; break; } Maybe you could try this to find out, if this really handdles all the cases needed? Thanks for the suggestion.
Hi, this seems like a good solution. Although there might be case-insensitive auth- subsystems unter unix and sensitive ones in a windows environment (some LDAP- Systems), this is not the common way. We'd be happy to test the enhancement, but we have no build environment here. So if anyone could supply a win32 and/or win64 build, we'd test it and report back.
I added a new attribute user_case_insensitive to the status worker, which can be set to True in workers.properties to make the user name comparison case insensitive. Default is False=case sensitive. This will be part of version 1.2.21.
Move a couple of fixed JK issues from resolved to closed.