[JBoss JIRA] Created: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)

[JBoss JIRA] Created: (JBAS-4562)...

[JBoss JIRA] Created: (JBAS-4672)...

Anil Saldhana (JIRA)

Monday, 10 December 2007 Mon, 10 Dec '07

12:07 a.m.

org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures) ---------------------------------------------------------------------------------- Key: JBAS-5069 URL: http://jira.jboss.com/jira/browse/JBAS-5069 Project: JBoss Application Server Issue Type: Bug Security Level: Public (Everyone can see) Components: Web (Tomcat) service Affects Versions: JBossAS-5.0.0.Beta2 Environment: org.jboss.test.security.test.WebConstraintsUnitTestCase Reproduce: a) Start JBoss5 b) ant -Dtest=org.jboss.test.security.test.WebConstraintsUnitTestCase one-test Reporter: Anil Saldhana Assigned To: Remy Maucherat Fix For: JBossAS-5.0.0.Beta3 With JBoss/Web, the excluded security constraints seem to be not working. The web.xml is: http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/secu... The errors are: http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... Failing calls: 1) testGetAccess() [GET IS EXCLUDED as per security constraint "excluded"] { // Validate that the excluded subcontext if not accessible url = new URL(baseURL+"web-constraints/restricted/get-only/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); 2) testExcludedAccess() [Security Constraint "Excluded GET"] public void testExcludedAccess() throws Exception { String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass"); // Test the excluded security-constraint URL url = new URL(baseURL+"web-constraints/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); ...... Remy, please tell me if it is an issue with our security layer. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

Show replies by date

Remy Maucherat (JIRA)

Monday, 10 December Mon, 10 Dec

9:43 a.m.

New subject: [JBoss JIRA] Commented: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)

[ http://jira.jboss.com/jira/browse/JBAS-5069?page=comments#action_12391349 ] Remy Maucherat commented on JBAS-5069: -------------------------------------- I will test with this web.xml both in JBoss Web standalone and AS 5 to see what happens.

...

org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures) ---------------------------------------------------------------------------------- Key: JBAS-5069 URL: http://jira.jboss.com/jira/browse/JBAS-5069 Project: JBoss Application Server Issue Type: Bug Security Level: Public(Everyone can see) Components: Web (Tomcat) service Affects Versions: JBossAS-5.0.0.Beta2 Environment: org.jboss.test.security.test.WebConstraintsUnitTestCase Reproduce: a) Start JBoss5 b) ant -Dtest=org.jboss.test.security.test.WebConstraintsUnitTestCase one-test Reporter: Anil Saldhana Assigned To: Remy Maucherat Fix For: JBossAS-5.0.0.Beta3 With JBoss/Web, the excluded security constraints seem to be not working. The web.xml is: http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/secu... The errors are: http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... Failing calls: 1) testGetAccess() [GET IS EXCLUDED as per security constraint "excluded"] { // Validate that the excluded subcontext if not accessible url = new URL(baseURL+"web-constraints/restricted/get-only/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); 2) testExcludedAccess() [Security Constraint "Excluded GET"] public void testExcludedAccess() throws Exception { String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass"); // Test the excluded security-constraint URL url = new URL(baseURL+"web-constraints/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); ...... Remy, please tell me if it is an issue with our security layer.

-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

Remy Maucherat (JIRA)

Tuesday, 11 December Tue, 11 Dec

10:12 a.m.

New subject: [JBoss JIRA] Updated: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)

[ http://jira.jboss.com/jira/browse/JBAS-5069?page=all ] Remy Maucherat updated JBAS-5069: --------------------------------- Priority: Blocker (was: Major)

...

org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures) ---------------------------------------------------------------------------------- Key: JBAS-5069 URL: http://jira.jboss.com/jira/browse/JBAS-5069 Project: JBoss Application Server Issue Type: Bug Security Level: Public(Everyone can see) Components: Web (Tomcat) service Affects Versions: JBossAS-5.0.0.Beta2 Environment: org.jboss.test.security.test.WebConstraintsUnitTestCase Reproduce: a) Start JBoss5 b) ant -Dtest=org.jboss.test.security.test.WebConstraintsUnitTestCase one-test Reporter: Anil Saldhana Assigned To: Remy Maucherat Priority: Blocker Fix For: JBossAS-5.0.0.Beta3 With JBoss/Web, the excluded security constraints seem to be not working. The web.xml is: http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/secu... The errors are: http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... Failing calls: 1) testGetAccess() [GET IS EXCLUDED as per security constraint "excluded"] { // Validate that the excluded subcontext if not accessible url = new URL(baseURL+"web-constraints/restricted/get-only/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); 2) testExcludedAccess() [Security Constraint "Excluded GET"] public void testExcludedAccess() throws Exception { String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass"); // Test the excluded security-constraint URL url = new URL(baseURL+"web-constraints/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); ...... Remy, please tell me if it is an issue with our security layer.

Remy Maucherat (JIRA)

10:12 a.m.

New subject: [JBoss JIRA] Commented: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)

[ http://jira.jboss.com/jira/browse/JBAS-5069?page=comments#action_12391589 ] Remy Maucherat commented on JBAS-5069: -------------------------------------- I am using an empty WAR with the web.xml you provided for testing (if a request goes through the constraints, it will return a 500, which is good enough). Not surprisingly, I cannot reproduce the issue in JBoss Web 2.1 standalone, but it "works" in AS 5.0. One possibility for the problem is that parsing of the web.xml is not done properly.

...

org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures) ---------------------------------------------------------------------------------- Key: JBAS-5069 URL: http://jira.jboss.com/jira/browse/JBAS-5069 Project: JBoss Application Server Issue Type: Bug Security Level: Public(Everyone can see) Components: Web (Tomcat) service Affects Versions: JBossAS-5.0.0.Beta2 Environment: org.jboss.test.security.test.WebConstraintsUnitTestCase Reproduce: a) Start JBoss5 b) ant -Dtest=org.jboss.test.security.test.WebConstraintsUnitTestCase one-test Reporter: Anil Saldhana Assigned To: Remy Maucherat Fix For: JBossAS-5.0.0.Beta3 With JBoss/Web, the excluded security constraints seem to be not working. The web.xml is: http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/secu... The errors are: http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... Failing calls: 1) testGetAccess() [GET IS EXCLUDED as per security constraint "excluded"] { // Validate that the excluded subcontext if not accessible url = new URL(baseURL+"web-constraints/restricted/get-only/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); 2) testExcludedAccess() [Security Constraint "Excluded GET"] public void testExcludedAccess() throws Exception { String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass"); // Test the excluded security-constraint URL url = new URL(baseURL+"web-constraints/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); ...... Remy, please tell me if it is an issue with our security layer.

Remy Maucherat (JIRA)

11:32 a.m.

New subject: [JBoss JIRA] Assigned: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)

[ http://jira.jboss.com/jira/browse/JBAS-5069?page=all ] Remy Maucherat reassigned JBAS-5069: ------------------------------------ Assignee: Scott M Stark (was: Remy Maucherat)

...

From my testing, it seems a security-constraint element with multiple web-resource-collection elements will only get the last collection in the metadata (a portion of the web.xml linked in the report):

<security-constraint> <display-name>excluded</display-name> <web-resource-collection> <web-resource-name>No Access</web-resource-name> <url-pattern>/excluded/*</url-pattern> <url-pattern>/restricted/get-only/excluded/*</url-pattern> <url-pattern>/restricted/post-only/excluded/*</url-pattern> <url-pattern>/restricted/any/excluded/*</url-pattern> </web-resource-collection> <web-resource-collection> <web-resource-name>No Access</web-resource-name> <url-pattern>/restricted/*</url-pattern> <http-method>DELETE</http-method> <http-method>PUT</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint /> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> The code reading the collections metedata is in JBossContextConfig: WebResourceCollectionsMetaData wrcs = value.getResourceCollections(); if(wrcs != null) { for(WebResourceCollectionMetaData wrc : wrcs) { org.apache.catalina.deploy.SecurityCollection collection2 = new org.apache.catalina.deploy.SecurityCollection(); collection2.setName(wrc.getName()); List<String> methods = wrc.getHttpMethods(); if(methods != null) { for (String method : wrc.getHttpMethods()) { collection2.addMethod(method); } } List<String> patterns = wrc.getUrlPatterns(); if(patterns != null) { for (String pattern : patterns) { collection2.addPattern(pattern); } } constraint.addCollection(collection2); } } Can you reproduce the problem ?

...

org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures) ---------------------------------------------------------------------------------- Key: JBAS-5069 URL: http://jira.jboss.com/jira/browse/JBAS-5069 Project: JBoss Application Server Issue Type: Bug Security Level: Public(Everyone can see) Components: Web (Tomcat) service Affects Versions: JBossAS-5.0.0.Beta2 Environment: org.jboss.test.security.test.WebConstraintsUnitTestCase Reproduce: a) Start JBoss5 b) ant -Dtest=org.jboss.test.security.test.WebConstraintsUnitTestCase one-test Reporter: Anil Saldhana Assigned To: Scott M Stark Priority: Blocker Fix For: JBossAS-5.0.0.Beta3 With JBoss/Web, the excluded security constraints seem to be not working. The web.xml is: http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/secu... The errors are: http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... Failing calls: 1) testGetAccess() [GET IS EXCLUDED as per security constraint "excluded"] { // Validate that the excluded subcontext if not accessible url = new URL(baseURL+"web-constraints/restricted/get-only/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); 2) testExcludedAccess() [Security Constraint "Excluded GET"] public void testExcludedAccess() throws Exception { String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass"); // Test the excluded security-constraint URL url = new URL(baseURL+"web-constraints/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); ...... Remy, please tell me if it is an issue with our security layer.

Scott M Stark (JIRA)

Friday, 14 December Fri, 14 Dec

1:41 a.m.

New subject: [JBoss JIRA] Commented: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)

[ http://jira.jboss.com/jira/browse/JBAS-5069?page=comments#action_12392139 ] Scott M Stark commented on JBAS-5069: ------------------------------------- Yes, I added WebApp24UnitTestCase.testSecurityConstraint test to the metadata project that shows the problem. The WebResourceCollectionsMetaData is a set keyed on the non-unique web-resource-collection/web-resource-name. The WebResourceCollectionsMetaData should simply be a list.

...

org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures) ---------------------------------------------------------------------------------- Key: JBAS-5069 URL: http://jira.jboss.com/jira/browse/JBAS-5069 Project: JBoss Application Server Issue Type: Bug Security Level: Public(Everyone can see) Components: Web (Tomcat) service Affects Versions: JBossAS-5.0.0.Beta2 Environment: org.jboss.test.security.test.WebConstraintsUnitTestCase Reproduce: a) Start JBoss5 b) ant -Dtest=org.jboss.test.security.test.WebConstraintsUnitTestCase one-test Reporter: Anil Saldhana Assigned To: Scott M Stark Priority: Blocker Fix For: JBossAS-5.0.0.Beta3 With JBoss/Web, the excluded security constraints seem to be not working. The web.xml is: http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/secu... The errors are: http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... Failing calls: 1) testGetAccess() [GET IS EXCLUDED as per security constraint "excluded"] { // Validate that the excluded subcontext if not accessible url = new URL(baseURL+"web-constraints/restricted/get-only/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); 2) testExcludedAccess() [Security Constraint "Excluded GET"] public void testExcludedAccess() throws Exception { String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass"); // Test the excluded security-constraint URL url = new URL(baseURL+"web-constraints/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); ...... Remy, please tell me if it is an issue with our security layer.

Scott M Stark (JIRA)

2:32 a.m.

New subject: [JBoss JIRA] Resolved: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)

[ http://jira.jboss.com/jira/browse/JBAS-5069?page=all ] Scott M Stark resolved JBAS-5069. --------------------------------- Resolution: Done With the code that will go into 1.0.0.Beta4, this test passes: one-test: [mkdir] Created dir: /home/svn/JBossHead/jboss-head/testsuite/output/log [junit] Running org.jboss.test.security.test.WebConstraintsUnitTestCase [junit] Tests run: 4, Failures: 0, Errors: 0, Time elapsed: 13.841 sec BUILD SUCCESSFUL

...

org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures) ---------------------------------------------------------------------------------- Key: JBAS-5069 URL: http://jira.jboss.com/jira/browse/JBAS-5069 Project: JBoss Application Server Issue Type: Bug Security Level: Public(Everyone can see) Components: Web (Tomcat) service Affects Versions: JBossAS-5.0.0.Beta2 Environment: org.jboss.test.security.test.WebConstraintsUnitTestCase Reproduce: a) Start JBoss5 b) ant -Dtest=org.jboss.test.security.test.WebConstraintsUnitTestCase one-test Reporter: Anil Saldhana Assigned To: Scott M Stark Priority: Blocker Fix For: JBossAS-5.0.0.Beta3 With JBoss/Web, the excluded security constraints seem to be not working. The web.xml is: http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/secu... The errors are: http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... Failing calls: 1) testGetAccess() [GET IS EXCLUDED as per security constraint "excluded"] { // Validate that the excluded subcontext if not accessible url = new URL(baseURL+"web-constraints/restricted/get-only/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); 2) testExcludedAccess() [Security Constraint "Excluded GET"] public void testExcludedAccess() throws Exception { String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass"); // Test the excluded security-constraint URL url = new URL(baseURL+"web-constraints/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); ...... Remy, please tell me if it is an issue with our security layer.

Anil Saldhana (JIRA)

2:36 a.m.

New subject: [JBoss JIRA] Commented: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)

[ http://jira.jboss.com/jira/browse/JBAS-5069?page=comments#action_12392142 ] Anil Saldhana commented on JBAS-5069: ------------------------------------- Thanks for the fix, Scott.

...

org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures) ---------------------------------------------------------------------------------- Key: JBAS-5069 URL: http://jira.jboss.com/jira/browse/JBAS-5069 Project: JBoss Application Server Issue Type: Bug Security Level: Public(Everyone can see) Components: Web (Tomcat) service Affects Versions: JBossAS-5.0.0.Beta2 Environment: org.jboss.test.security.test.WebConstraintsUnitTestCase Reproduce: a) Start JBoss5 b) ant -Dtest=org.jboss.test.security.test.WebConstraintsUnitTestCase one-test Reporter: Anil Saldhana Assigned To: Scott M Stark Priority: Blocker Fix For: JBossAS-5.0.0.Beta3 With JBoss/Web, the excluded security constraints seem to be not working. The web.xml is: http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/secu... The errors are: http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... Failing calls: 1) testGetAccess() [GET IS EXCLUDED as per security constraint "excluded"] { // Validate that the excluded subcontext if not accessible url = new URL(baseURL+"web-constraints/restricted/get-only/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); 2) testExcludedAccess() [Security Constraint "Excluded GET"] public void testExcludedAccess() throws Exception { String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass"); // Test the excluded security-constraint URL url = new URL(baseURL+"web-constraints/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); ...... Remy, please tell me if it is an issue with our security layer.

Remy Maucherat (JIRA)

8:30 a.m.

New subject: [JBoss JIRA] Commented: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)

[ http://jira.jboss.com/jira/browse/JBAS-5069?page=comments#action_12392182 ] Remy Maucherat commented on JBAS-5069: -------------------------------------- Thanks a lot :)

...

org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures) ---------------------------------------------------------------------------------- Key: JBAS-5069 URL: http://jira.jboss.com/jira/browse/JBAS-5069 Project: JBoss Application Server Issue Type: Bug Security Level: Public(Everyone can see) Components: Web (Tomcat) service Affects Versions: JBossAS-5.0.0.Beta2 Environment: org.jboss.test.security.test.WebConstraintsUnitTestCase Reproduce: a) Start JBoss5 b) ant -Dtest=org.jboss.test.security.test.WebConstraintsUnitTestCase one-test Reporter: Anil Saldhana Assigned To: Scott M Stark Priority: Blocker Fix For: JBossAS-5.0.0.Beta3 With JBoss/Web, the excluded security constraints seem to be not working. The web.xml is: http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/secu... The errors are: http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSui... Failing calls: 1) testGetAccess() [GET IS EXCLUDED as per security constraint "excluded"] { // Validate that the excluded subcontext if not accessible url = new URL(baseURL+"web-constraints/restricted/get-only/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); 2) testExcludedAccess() [Security Constraint "Excluded GET"] public void testExcludedAccess() throws Exception { String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass"); // Test the excluded security-constraint URL url = new URL(baseURL+"web-constraints/excluded/x"); HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN); ...... Remy, please tell me if it is an issue with our security layer.

6225

days inactive

6229

days old

jboss-jira@lists.jboss.org

Manage subscription

8 comments

3 participants

tags (0)

participants (3)

Anil Saldhana (JIRA)
Remy Maucherat (JIRA)
Scott M Stark (JIRA)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[JBoss JIRA] Created: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)