You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Jonathan Eric Miller <je...@uchicago.edu> on 2000/07/19 22:03:53 UTC

Bug in basic HTTP authentication/resource protection in Tomcat 3.1?

It may just be the case that I don't know what I'm doing, but, I noticed
something that I think may be a bug with regard to protecting resources in
Tomcat.

I was playing around witht he web.xml file used for the ROOT Web application
trying to see if I could make it so that users would have to authenticate
via basic HTTP authentication in order to access the SnoopServlet. The
web.xml file that I'm using is listed below.

It seems to work fine (i.e. it prompts me for a password) if I access it
using the following URL.

http://localhost:8080/servlet/SnoopServlet

However, I noticed that if I append a slash after it (entered it on
accident), I'm able to access the servlet without having to authenticate.

http://localhost:8080/servlet/SnoopServlet/

Also, I noticed that it works correctly for URLs like the following.

http://localhost:8080/servlet/SnoopServlet?var1=value1

Jon

P.S. I'm not actually subscribed to this list, so, please CC
jemiller@uchicago.edu with any responses. Thanks.

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
    "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">

<web-app>
    <security-constraint>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
  <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/servlet/SnoopServlet</url-pattern>
  <!-- If you list http methods, only those methods are protected -->
  <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
  <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>tomcat</role-name>
  <role-name>role1</role-name>
      </auth-constraint>
    </security-constraint>

    <!-- Default login configuration uses BASIC authentication -->
    <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Example Basic Authentication Area</realm-name>
    </login-config>
</web-app>

Re: Bug in basic HTTP authentication/resource protection in Tomcat 3.1?

Posted by Costin Manolache <Co...@eng.sun.com>.

Jonathan Eric Miller wrote:

> Yeah, but it's running the same servlet. I didn't even know that
> SnoopServlet/ was a valid URL. IMHO, this should be changed. If it isn't I
> doubt that I will be the only one that makes this mistake.

It is a valid URL - even if it runs the same servlet ( with "/" as pathInfo ).

> If it weren't for the fact that I accidentally typed the extra /, I would
> have a gaping whole in my application that I didn't even know about.
>
> It isn't really a problem with the resource protection, it's that
> SnoopServlet shouldn't get run if there is a trailing /.

Sorry about that, but that's perfectly correct behavior. Same
happen with CGIs or any other system.

It doesn't happen for JSPs because the spec doesn't allow pathInfo
for extension mapped servlets.

Costin

Re: Bug in basic HTTP authentication/resource protection in Tomcat 3.1?

Posted by Jonathan Eric Miller <je...@uchicago.edu>.

Yeah, but it's running the same servlet. I didn't even know that
SnoopServlet/ was a valid URL. IMHO, this should be changed. If it isn't I
doubt that I will be the only one that makes this mistake.

If it weren't for the fact that I accidentally typed the extra /, I would
have a gaping whole in my application that I didn't even know about.

It isn't really a problem with the resource protection, it's that
SnoopServlet shouldn't get run if there is a trailing /.

Jon

----- Original Message -----
From: "Costin Manolache" <Co...@eng.sun.com>
To: <to...@jakarta.apache.org>; <je...@uchicago.edu>
Sent: Thursday, July 20, 2000 1:18 PM
Subject: Re: Bug in basic HTTP authentication/resource protection in Tomcat
3.1?


> > Jon
> >
> > P.S. I'm not actually subscribed to this list, so, please CC
> > jemiller@uchicago.edu with any responses. Thanks.
> >
> >       <web-resource-collection>
> >          <web-resource-name>Protected Area</web-resource-name>
> >   <!-- Define the context-relative URL(s) to be protected -->
> >          <url-pattern>/servlet/SnoopServlet</url-pattern>
>
> That's exact map - it protects snoopServlet but doesn't protect
> SnoopServlet/
>
> Costin
>

Re: Bug in basic HTTP authentication/resource protection in Tomcat 3.1?

Posted by Costin Manolache <Co...@eng.sun.com>.

> Jon
>
> P.S. I'm not actually subscribed to this list, so, please CC
> jemiller@uchicago.edu with any responses. Thanks.
>
>       <web-resource-collection>
>          <web-resource-name>Protected Area</web-resource-name>
>   <!-- Define the context-relative URL(s) to be protected -->
>          <url-pattern>/servlet/SnoopServlet</url-pattern>

That's exact map - it protects snoopServlet but doesn't protect
SnoopServlet/

Costin