[jboss-jira] [JBoss JIRA] Assigned: (JBAS-5069) org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)

Remy Maucherat (JIRA) jira-events at lists.jboss.org
Tue Dec 11 12:32:51 EST 2007 

     [ http://jira.jboss.com/jira/browse/JBAS-5069?page=all ]

Remy Maucherat reassigned JBAS-5069:
------------------------------------

    Assignee: Scott M Stark  (was: Remy Maucherat)

>From my testing, it seems a security-constraint element with multiple web-resource-collection elements will only get the last collection in the metadata (a portion of the web.xml linked in the report):
   <security-constraint>
      <display-name>excluded</display-name>
      <web-resource-collection>
         <web-resource-name>No Access</web-resource-name>
         <url-pattern>/excluded/*</url-pattern>
         <url-pattern>/restricted/get-only/excluded/*</url-pattern>
         <url-pattern>/restricted/post-only/excluded/*</url-pattern>
         <url-pattern>/restricted/any/excluded/*</url-pattern>
      </web-resource-collection>
      <web-resource-collection>
         <web-resource-name>No Access</web-resource-name>
         <url-pattern>/restricted/*</url-pattern>
         <http-method>DELETE</http-method>
         <http-method>PUT</http-method>
         <http-method>HEAD</http-method>
         <http-method>OPTIONS</http-method>
         <http-method>TRACE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint />
      <user-data-constraint>
         <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
   </security-constraint>

The code reading the collections metedata is in JBossContextConfig:
            WebResourceCollectionsMetaData wrcs = value.getResourceCollections();
            if(wrcs != null)
            {
          		for(WebResourceCollectionMetaData wrc : wrcs)
               {
          			org.apache.catalina.deploy.SecurityCollection collection2 = 
          				new org.apache.catalina.deploy.SecurityCollection();
          			collection2.setName(wrc.getName());
                  List<String> methods = wrc.getHttpMethods();
                  if(methods != null)
                  {
             			for (String method : wrc.getHttpMethods())
                     {
             				collection2.addMethod(method);
             			}
                  }
                  List<String> patterns = wrc.getUrlPatterns();
                  if(patterns != null)
                  {
             			for (String pattern : patterns)
                     {
             				collection2.addPattern(pattern);
                     }
                  }
          			constraint.addCollection(collection2);
          		}
            }

Can you reproduce the problem ?

> org.jboss.test.security.test.WebConstraintsUnitTestCase (Excluded Access failures)
> ----------------------------------------------------------------------------------
>
>                 Key: JBAS-5069
>                 URL: http://jira.jboss.com/jira/browse/JBAS-5069
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (Tomcat) service
>    Affects Versions: JBossAS-5.0.0.Beta2
>         Environment: org.jboss.test.security.test.WebConstraintsUnitTestCase
> Reproduce:
> a) Start JBoss5
> b) ant -Dtest=org.jboss.test.security.test.WebConstraintsUnitTestCase one-test
>            Reporter: Anil Saldhana
>         Assigned To: Scott M Stark
>            Priority: Blocker
>             Fix For:  JBossAS-5.0.0.Beta3
>
>
> With JBoss/Web, the excluded security constraints seem to be not working.
> The web.xml is:
> http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/security/web-constraints/web.xml
> The errors are:
> http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSuite-sun15-noip/lastBuild/testReport/org.jboss.test.security.test/WebConstraintsUnitTestCase(tests-security-basic-unit)/testGetAccess/
> http://hudson.jboss.org/hudson/view/JBoss%20AS/job/JBoss-AS-5.0.x-TestSuite-sun15-noip/lastBuild/testReport/org.jboss.test.security.test/WebConstraintsUnitTestCase(tests-security-basic-unit)/testExcludedAccess/
> Failing calls:
> 1) testGetAccess()  [GET IS EXCLUDED as per security constraint "excluded"]
> {
>      // Validate that the excluded subcontext if not accessible
>       url = new URL(baseURL+"web-constraints/restricted/get-only/excluded/x");
>       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
> 2) testExcludedAccess()  [Security Constraint "Excluded GET"]
>  public void testExcludedAccess() throws Exception
>    {
>       String baseURL = HttpUtils.getBaseURL("getUser", "getUserPass");
>       // Test the excluded security-constraint
>       URL url = new URL(baseURL+"web-constraints/excluded/x");
>       HttpUtils.accessURL(url, REALM, HttpURLConnection.HTTP_FORBIDDEN);
> ......
> Remy, please tell me if it is an issue with our security layer.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list