Bug 41318 - JK Status Worker Security User Case Problem in Windows
JK Status Worker Security User Case Problem in Windows
Product: Tomcat Connectors
Classification: Unclassified
Component: Common
PC Windows Server 2003
: P2 enhancement (vote)
: ---
Assigned To: Tomcat Developers Mailing List
Depends on:
  Show dependency tree
Reported: 2007-01-08 09:40 UTC by Bjoern Andersen
Modified: 2014-02-17 13:56 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Bjoern Andersen 2007-01-08 09:40:04 UTC
First, thank you for implementing security in JK. I know it was possible to 
secure it before in Apache, but in IIS, JK is run before the NTFS-Rights 
apply. So this is a long awaited feature.

But seeing that this mainly applies to non-apache environments, it is bad that 
the user check done case sensitive.In IIS, especially when working with domain 
Users, User may com in UCase/LCase Domain\User in any combination. Even Cast 
differences in the Username (i.e. First letter capital or not) occour. Windows 
does not care, but JK does. So one can auth against IIS, but still be blocked 
from JK, even with the right user.

In the moment we workaround this with trying to put any combination in the 
properties-file. But this is a hopeless fight.

I understand that you might not be able to simply LCase the username because 
that would lose some compatibility to the unix side. But maybe you can 
introduce a parameter like "worker.jk-manage.casesensitive=True|False" ?
Comment 1 Rainer Jung 2007-01-08 10:03:54 UTC

good to hear, that the feature basically works :)

I'm sure you noticed, that this only secures the status worker? So we could only
discuss securing access to the status worker in an appropriate way.

I would like to consider, if we could make the string comparison case
insensitive dependent on the platform. So we could use case-insensitivity on the
Windows platform, and sesitivity on the other ones. I'm not sure about Netware,
but we could ask Günter Knauf about the habits there.

We usually use

#ifdef WIN32

to destinguish the Windows platform. Actually I don't know, if this is still
correct in times of 64 Bit Windows, but since Mladen actually does Windows 64
Bit builds since quote some time, I assume, that this is still correct.

So I would propose a patch as follows:

Index: jk_status.c
--- jk_status.c (revision 494133)
+++ jk_status.c (working copy)
@@ -2846,7 +2846,11 @@
             unsigned int i;
             denied = 1;
             for (i = 0; i < w->num_of_users; i++) {
+#if defined(WIN32)
+                if (!strcasecmp(s->remote_user, w->user_names[i])) {
                 if (!strcmp(s->remote_user, w->user_names[i])) {
                     denied = 0;

Maybe you could try this to find out, if this really handdles all the cases needed?

Thanks for the suggestion.
Comment 2 Bjoern Andersen 2007-01-08 10:28:15 UTC
this seems like a good solution. Although there might be case-insensitive auth-
subsystems unter unix and sensitive ones in a windows environment (some LDAP-
Systems), this is not the common way.

We'd be happy to test the enhancement, but we have no build environment here. 
So if anyone could supply a win32 and/or win64 build, we'd test it and report 
Comment 3 Rainer Jung 2007-01-28 05:16:53 UTC
I added a new attribute user_case_insensitive to the status worker,
which can be set to True in workers.properties to make the user
name comparison case insensitive. Default is False=case sensitive.
This will be part of version 1.2.21.
Comment 4 Rainer Jung 2008-01-01 16:51:30 UTC
Move a couple of fixed JK issues from resolved to closed.