[jboss-jira] [JBoss JIRA] Commented: (JBAS-4085) failing org.jboss.test.web.test.WebIntegrationUnitTestCase
Brian Stansberry (JIRA)
jira-events at lists.jboss.org
Wed Feb 21 18:24:35 EST 2007
[ http://jira.jboss.com/jira/browse/JBAS-4085?page=comments#action_12353880 ]
Brian Stansberry commented on JBAS-4085:
----------------------------------------
Based on following e-mail discussion w/ Remy, I'm going to change these tests to assert a 400 rather than a 403:
Brian Stansberry wrote:
> I suspect the test below is failing due to a change in Tomcat, where TC may be correct and the test just needs an update.
>
> Test does this:
>
> GET of http://localhost:8080/jbosstest//restricted3//SecureServlet
>
> which fails with a 403, as the test expects.
>
> Then it does a GET of http://localhost:8080/jbosstest/%2frestricted3//SecureServlet (replace a / with %2f) and TC responds with a 400 -- Bad Request. Test fails because it expects a 403.
>
> Is http://localhost:8080/jbosstest/%2frestricted3//SecureServlet an invalid request? If so, the 400 is fine, and the test just needs to be updated. The purpose of the test is to ensure that tricks with the URL don't allow unauthorized access (http://jira.jboss.com/jira/browse/JBAS-3279).
There are new security constraints by default for the path portion of URLs:
- no %xx encoded '/'
- no '\', %xx encoded or not
(obviously, this sort of cute tricks are highly suspicious from a security standpoint)
The reason for that change is because proxies may or may not normalize the URL the way Tomcat does, and may be incorrectly passing requests to Tomcat (there's a minor security advisory about that coming). There are two new system properties which may be used to allow this stuff:
- "org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH" to "true"
- "org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH" to "true"
Rémy
> failing org.jboss.test.web.test.WebIntegrationUnitTestCase
> ----------------------------------------------------------
>
> Key: JBAS-4085
> URL: http://jira.jboss.com/jira/browse/JBAS-4085
> Project: JBoss Application Server
> Issue Type: Sub-task
> Security Level: Public(Everyone can see)
> Components: Test Suite, Web (Tomcat) service
> Reporter: Scott M Stark
> Assigned To: Brian Stansberry
>
> <testcase classname="org.jboss.test.web.test.WebIntegrationUnitTestCase" name="testBadWarRedeploy" time="1.093">
> <error message="Expected reply code:200, actual=503" type="java.io.IOException">java.io.IOException: Expected reply code:200, actual=503
> at org.jboss.test.util.web.HttpUtils.accessURL(HttpUtils.java:137)
> at org.jboss.test.util.web.HttpUtils.accessURL(HttpUtils.java:108)
> at org.jboss.test.util.web.HttpUtils.accessURL(HttpUtils.java:96)
> at org.jboss.test.web.test.WebIntegrationUnitTestCase.testBadWarRedeploy(WebIntegrationUnitTestCase.java:373)
> at jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown Source)
> at junit.extensions.TestDecorator.basicRun(TestDecorator.java:22)
> at junit.extensions.TestSetup$1.protect(TestSetup.java:19)
> at junit.extensions.TestSetup.run(TestSetup.java:23)
> </error>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list