You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Nicola Ken Barozzi <ni...@supereva.it> on 2000/07/03 13:22:33 UTC

Re: tomcat security - patches

----- Original Message ----- 
From: "Nacho" <na...@siapi.es>
To: <to...@jakarta.apache.org>
Sent: Monday, July 03, 2000 12:30 PM
Subject: RE: tomcat security


> This is known, it's solved in the latest tomcat version ,Currently there
> are a 3.2 Beta which is the latest.
> 
> Saludos ,
> Ignacio J. Ortega
> 
> 
> > -----Mensaje original-----
> > De: brian.king@amd.com [mailto:brian.king@amd.com]
> > Enviado el: lunes 3 de julio de 2000 12:14
> > Para: tomcat-user@jakarta.apache.org
> > Asunto: tomcat security
> > 
> > 
> > When I try accessing the  /examples/jsp/security/protected/ 
> > page, after
> > logging in, instead of seeing the index.jsp page (which should tell me
> > something about my priveleges and roles), I see a page like:
> > --------------------------------------------------------------
> > --------------
> > ------
> > Directory Listing for: /examples/jsp/security/protected/
> >        Up to: /examples/jsp/security
> >        Subdirectories: 
> >              images/ 
> > Thu, 22 Jun
> > 2000 14:07 CEST
> >              jsp/ 
> > Thu,
> > 29 Jun 2000 14:47 CEST
> >              servlets/ 
> > Thu, 22 Jun
> > 2000 14:07 CEST 
> > Tomcat Web Server v3.1
> > --------------------------------------------------------------
> > --------------
> > ---------
> > 
> > , which actually shows me the directory listing for the 
> > /examples directory.
> > 
> > If I try to access the /examples/jsp/security/protected/index.jsp page
> > directly, I get error 404, File Not Found.
> > 
> > Any ideas how to correct this behavior?
> > 
> > Thanks,
> > Brian King


I had the same problem.
Imho would be very appreciated if this is written in the site pages.
In the documentation is stated that security seems to work ok, but
it is wrong. This disorients users.
Anyway in the mailing list archive I found the following...
now security works for me.

Ken

Nicola Ken Barozzi - AISA Industries S.p.A
http://www.aisaindustries.it/
Via Leonardo da Vinci,2 Ticengo (CR) Italy
Personal homepage at Java Guru:
http://www.jguru.com/jguru/guru/viewchannel.jsp?EID=39153
Personal FAQ at Java Guru:
http://www.jguru.com/jguru/guru/viewfaqs.jsp?EID=39153
Research Activity:
Politecnico di Milano - Dipartimento di Meccanica
Piazza Leonardo da Vinci, n.32 - 20133 Milano (Italy)

/***********************************************************/
This cc'd to tomcat-users because a number of users had reported these bugs.

Below are patches for a couple of bugs in 3.1 final which had not been fixed 
in CVS as of yesterday. The bugs are described in the email  included below.

Apologies if this is going over old ground. I was told that this had been 
discussed before (soon after 3.1 release) and it was decided not to fix them 
because of the move to a new security architecture (I understand from the 
CVS logs that SimpleMapper is to be deleted). However, I couldn't find this 
discussion in the mailing list archives (neither users nor dev).

--- org/apache/tomcat/core/Container.java.orig  Mon May  8 12:52:10 2000
+++ org/apache/tomcat/core/Container.java       Mon May  8 12:35:40 2000
@@ -281,6 +281,10 @@
        return handler;
     }

+    public boolean hasNonDefaultHandler () {
+       return handler != null;
+    }
+
     /** The handler ( servlet ) for this container
      */
     public void setHandler(ServletWrapper h) {


--- org/apache/tomcat/request/SimpleMapper.java.orig    Mon May  8 12:57:20 
2000
+++ org/apache/tomcat/request/SimpleMapper.java Mon May  8 12:33:55 2000
@@ -291,7 +291,7 @@
        // add the mapping in the "securityContraints"
        // or in contextPaths if it's a servlet mapping
        Hashtable mtable=securityConstraints;
-       if( ct.getHandler() != null )
+       if( ct.hasNonDefaultHandler() )
            mtable=contextPaths;

        if(debug>0) ctx.log("Add mapping/container " + path + " " + 
ctx.getDebug() + " " + ctxP + " " +
@@ -389,7 +389,7 @@
        }

        // Set servlet path and path info
-       if( wrapper != null && wrapper.getHandler() != null ) {
+       if( wrapper != null && wrapper.hasNonDefaultHandler () ) {
            // Found a match !
            req.setServletPath( s );
            String pathI = path.substring(s.length(), path.length());



>From: "Robin Green" <gr...@hotmail.com>
>Reply-To: tomcat-user@jakarta.apache.org
>To: tomcat-user@jakarta.apache.org
>Subject: Two authentication bugs
>Date: Wed, 03 May 2000 16:56:32 BST
>
>My configuration is
>
>Tomcat 3.1
>Cocoon 1.7.1-dev
>Solaris 7
>
>I have set up two BASIC authentication zones for development purposes in
>build/tomcat/conf/web.xml as follows:
>
>    <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>Administrator Area</web-resource-name>
>         <!-- Define the context-relative URL(s) to be protected -->
>         <url-pattern>/admin/*</url-pattern>
>     </web-resource-collection>
>      <auth-constraint>
>         <!-- Anyone with one of the listed roles may access this area -->
>         <role-name>admin</role-name>
>      </auth-constraint>
>    </security-constraint>
>
>    <security-constraint>
>      <web-resource-collection>
>         <web-resource-name>Members Area</web-resource-name>
>         <!-- Define the context-relative URL(s) to be protected -->
>         <url-pattern>/users/*</url-pattern>
>     </web-resource-collection>
>      <auth-constraint>
>         <!-- Anyone with one of the listed roles may access this area -->
>         <role-name>admin</role-name>
>         <role-name>user</role-name>
>      </auth-constraint>
>    </security-constraint>
>
>The relevant context from server2.xml is
>
>        <Context path="/fyp" docBase="/home/ufs1/12/greenrd/fyp/public"
>         debug="1"
>         reloadable="true" />
>
>However, when I log in correctly:
>
>Bug 1: the servlet mapping which states that *.xml files are to be handled
>by Cocoon is broken inside these security zones (but not outside). Instead
>it returns the .xml file directly to Internet Explorer.
>
>Bug 2: http://myhost/fyp/users/foobar.xml causes Tomcat to fetch
>~/fyp/public/foobar.xml not ~/fyp/public/users/foobar.xml as it should. So 
>I
>tried http://myhost/fyp/users/users/ and this gave me a directory listing
>starting with
>
>Directory Listing for: /fyp/users/users/
>Up to: /fyp/users
>
>
>which is _actually_ a directory listing for ~/fyp/public/users (it should
>have 404ed). Clearly the path for the zone is being stripped from the URI,
>which makes no sense. ( ~ indicates my home dir, /home/ufs1/12/greenrd ).
>
>There are no operating-system symbolic links involved. There is no WEB-INF
>directory under ~/fyp/public . If I create one and copy web.xml to
>~/fyp/public/WEB-INF and restart tomcat, same two bugs occur.
>
>I really don't want to reorganise all my links to work around this bug.
>Suggestions?
>
>--
>Robin
>