You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/05/13 13:49:13 UTC
DO NOT REPLY [Bug 9027] New: -
The Tomcat Servlet Container use the identity specified in a servlet with the element for every web component.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9027>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9027
The Tomcat Servlet Container use the identity specified in a servlet with the element <run-as> for every web component.
Summary: The Tomcat Servlet Container use the identity specified
in a servlet with the element <run-as> for every web
component.
Product: Tomcat 4
Version: 4.0.1 Final
Platform: Other
OS/Version: Other
Status: NEW
Severity: Critical
Priority: Other
Component: Servlet & JSP API
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: markus.ide@ejbguru.de
The Tomcat Servlet Container use the identity specified in a servlet with the
element <run-as> for every web component.
This identity should only be used for calls in the specified servlet and not
for calls in other web components. In my opinion this is a fatal error.
The following test szenario could be used to detect the error (I use the J2EE
Reference Implementation from Sun).
1.) create an EJB archive with the session bean TestEJB
2.) insert the JSP test.jsp and testRunAs.jsp in an web-archive
3.) modify the security for the JSP shown in the deployment descriptor web.xml
4.) modify the caller-id of the JSP testRunAs.jsp to the role 'eng' and the
user 'scott'
5.) deploy the application
6.) request the test.jsp and testRunAs.jsp with the username j2ee/j2ee. The
caller of the EJB is always the one, who is specified for testRunAs.jsp, that
means 'scott'. A request to test.jsp should use the authenticated user (j2ee).
-----------------------------------------------------------------
JSP Testfile: 'test.jsp'
-----------------------------------------------------------------
<html>
<head>
<title>test</title>
<%@ page import="de.j2eeguru.example.Test" %>
<%@ page import="de.j2eeguru.example.TestHome" %>
<%@ page import="javax.naming.InitialContext" %>
<%@ page import="javax.rmi.PortableRemoteObject" %>
</head>
<body>
<p>Identity of the user in test.jsp: <%= request.getRemoteUser() %></p>
<p>
Identity of the EJB caller:
<%
String callerID="???";
try
{
// JNDI-Kontext ermitteln
InitialContext ctx = new InitialContext();
// JNDI-Namen nachschlagen
Object ref = ctx.lookup("de/ejbguru/test");
// in Home-Interface umwandeln
TestHome testHome = (TestHome)
PortableRemoteObject.narrow(ref, TestHome.class);
// EJB erzeugen und Referenz auf Remote-Interface ermitteln
Test test = testHome.create();
// Business-Methode vom EJB ausf�hren
callerID = test.getUserName();
// Remote-Interface wird nicht mehr ben�tigt
test.remove();
}
catch(Exception ex)
{
ex.printStackTrace();
callerID = "Fehler aufgetreten:" + ex.getMessage();
}
%>
<%= callerID %>
</p>
</body>
</html>
-----------------------------------------------------------------
JSP Testfile: 'testRunAs.jsp' (in fact the same as test.jsp)
-----------------------------------------------------------------
<html>
<head>
<title>test</title>
<%@ page import="de.j2eeguru.example.Test" %>
<%@ page import="de.j2eeguru.example.TestHome" %>
<%@ page import="javax.naming.InitialContext" %>
<%@ page import="javax.rmi.PortableRemoteObject" %>
</head>
<body>
<p>Identity of the user in testRunAs.jsp: <%= request.getRemoteUser() %></p>
<p>
Identity of the EJB caller:
<%
String callerID="???";
try
{
// JNDI-Kontext ermitteln
InitialContext ctx = new InitialContext();
// JNDI-Namen nachschlagen
Object ref = ctx.lookup("de/ejbguru/test");
// in Home-Interface umwandeln
TestHome testHome = (TestHome)
PortableRemoteObject.narrow(ref, TestHome.class);
// EJB erzeugen und Referenz auf Remote-Interface ermitteln
Test test = testHome.create();
// Business-Methode vom EJB ausf�hren
callerID = test.getUserName();
// Remote-Interface wird nicht mehr ben�tigt
test.remove();
}
catch(Exception ex)
{
ex.printStackTrace();
callerID = "Fehler aufgetreten:" + ex.getMessage();
}
%>
<%= callerID %>
</p>
</body>
</html>
-----------------------------------------------------------------
WEB.XML:
-----------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application
2.3//EN' 'http://java.sun.com/dtd/web-app_2_3.dtd'>
<web-app>
<display-name>RunAsWebApp</display-name>
<servlet>
<servlet-name>test</servlet-name>
<display-name>test</display-name>
<jsp-file>/test.jsp</jsp-file>
</servlet>
<servlet>
<servlet-name>testRunAs</servlet-name>
<display-name>testRunAs</display-name>
<jsp-file>/testRunAs.jsp</jsp-file>
<run-as>
<role-name>eng</role-name>
</run-as>
</servlet>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>WRCollection</web-resource-name>
<url-pattern>/test.jsp</url-pattern>
<url-pattern>/testRunAs.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>mgr</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Default</realm-name>
</login-config>
<security-role>
<role-name>eng</role-name>
</security-role>
<security-role>
<role-name>mgr</role-name>
</security-role>
</web-app>
-----------------------------------------------------------------
TestEJB.java
-----------------------------------------------------------------
package de.j2eeguru.example;
import javax.ejb.SessionBean;
import javax.ejb.EJBException;
import javax.ejb.CreateException;
import javax.ejb.SessionContext;
/*
* Stateless-Session-Bean 'TestEJB'
*/
public class TestEJB implements SessionBean
{
private SessionContext sctx = null;
//------------------------------------------------------------
// Implementierung der Business-Methoden
//------------------------------------------------------------
public String getUserName()
{
return sctx.getCallerPrincipal().getName();
}
//------------------------------------------------------------
// Implementierung der create-Methode
//------------------------------------------------------------
public void ejbCreate() throws CreateException { }
//------------------------------------------------------------
// Implementierung des Interface 'javax.ejb.SessionBean'
//------------------------------------------------------------
public void setSessionContext( SessionContext sctx ) { this.sctx = sctx; }
public void ejbRemove() { }
public void ejbActivate() { }
public void ejbPassivate() { }
}
-----------------------------------------------------------------
TestEJB.java
-----------------------------------------------------------------
package de.j2eeguru.example;
import java.rmi.RemoteException;
import javax.ejb.EJBObject;
/*
* Remote-Interface f�r das Session-Bean 'TestEJB'
*/
public interface Test extends EJBObject
{
public String getUserName() throws RemoteException;
}
-----------------------------------------------------------------
TestHomeEJB.java
-----------------------------------------------------------------
package de.j2eeguru.example;
import java.rmi.RemoteException;
import javax.ejb.EJBHome;
import javax.ejb.CreateException;
/**
* Home-Interface f�r das Session-Bean 'TestEJB'.
*/
public interface TestHome extends EJBHome
{
public Test create() throws CreateException, RemoteException;
}
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>