You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2001/10/23 20:59:40 UTC

DO NOT REPLY [Bug 4374] New: - bypass of authentication mechanism

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4374>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4374

bypass of authentication mechanism

           Summary: bypass of authentication mechanism
           Product: Tomcat 4
           Version: 4.0.1 Final
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: mike.adair@ccrs.nrcan.gc.ca


The container based security mechanism in tomcat can be bypassed by accessing 
the protected page using <jsp:include/> or <jsp:forward/>.  A user can access 
the page with a null username, where I think the login form should be displayed.

This is occuring with the MemoryRealm, as well as with my custom JDBC realm 
implementation.  It also applies to tomcat v3.2.3.

I will add an attachement to this bug report which is a jsp file that can be 
used in the webapps/examples/jsp directory to demonstrate the problem.