You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/08/10 12:28:16 UTC
DO NOT REPLY [Bug 11603] New: -
security fails for http-method != GET when user is forced to login
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11603>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11603
security fails for http-method != GET when user is forced to login
Summary: security fails for http-method != GET when user is
forced to login
Product: Tomcat 4
Version: 4.0.4 Final
Platform: Other
URL: http://www.secuityfilter.org/tomcat/http-method-bug.war
OS/Version: Other
Status: NEW
Severity: Normal
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: max@maxcooper.com
With a deployment descriptor like this:
<web-app>
<welcome-file-list>
<welcome-file>/index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Block POSTs to /showMessage.jsp</web-resource-name>
<url-pattern>/showMessage.jsp</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginForm.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>
...no one should be able to POST to /showMessage.jsp. However, if an
unauthenticated user makes such a POST, they will be sent through the login
form, ending up with a redirect which results in a GET for /showMessage.jsp.
Tomcat fails to recognize this request as a POST and allows the user to
perform the GET. This is a problem because you can't effectively block access
based on http-methods other than GET. All a user need do is make sure they
aren't logged in before they make such a request, and the container will
execute their request as if it was a GET. Of course, it is a GET in the end,
but I think it needs to be interpreted by the container as being of the same
method that caused the trip through the login sequence (i.e. use
SavedRequest.getMethod() instead of the method from the current request when
checking for authorization).
This would be a major problem if someone wanted to block POST (or any method
besides GET) requests to their application or a part of their application.
The URL I included in this bug report will allow you to download a test
application that demonstrates this problem.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>