Mantis Bugtracker
  

Viewing Issue Advanced Details Jump to Notes ] View Simple ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0003333 [Resin] trivial always 02-09-09 12:59 03-18-09 12:14
Reporter stbu View Status public  
Assigned To ferg
Priority normal Resolution fixed Platform
Status closed   OS
Projection none   OS Version
ETA none Fixed in Version 4.0.0 Product Version 3.1.9
  Product Build
Summary 0003333: Snapshot 3.1.s090206: <secure/> cause ignoring of login-config and security-constraint
Description When <secure/> is specified in a <web-app>, the configured BASIC Authentication is not applied.
When a non SSL Request is performed, Resin will respond with 403 Forbidden.
But when an SSL Request is performed, the application is accessable without authentication.

The documentation http://caucho.com/resin-3.1/doc/webapp-tags.xtp#secure [^] contains:
The <secure> flag requires that the web-app only be accessed in a secure/SSL mode. Equivalent to a <security-constraint>.

But this does not imply that <login-config> and other <security-constraint> is ignored, right? Maybe I just don't understand that part of the documentation, but that behavior was not expected.

However, I prefer to use
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
This is similar to <secure/>, but the Authentication is still requested.
Steps To Reproduce
Additional Information My testcase is using a simple resin-web.xml, here is the content.


<web-app xmlns="http://caucho.com/ns/resin" [^]
         xmlns:resin="http://caucho.com/ns/resin/core"> [^]

  <!--
     - http://caucho.com/resin-3.1/doc/webapp-tags.xtp#secure [^]
     - The <secure> flag requires that the web-app only be accessed
     - in a secure/SSL mode. Equivalent to a <security-constraint>.
  -->
  <secure/>
  <!--
     - When <secure/> is specified, the following BASIC Authentication
     - is not applied. When the request is an SSL request, the
     - Application is served.
     -
     - Comment out <secure/> and the SSL request will require the
     - Authentication.
  -->

  <login-config auth-method="basic"/>
  <authenticator type="com.caucho.server.security.XmlAuthenticator">
    <init>
      <path>WEB-INF/password.xml</path>
    </init>
  </authenticator>
  <security-constraint>
    <auth-constraint role-name='mytest'/>
    <web-resource-collection>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
  </security-constraint>

</web-app>


The attached WAR can be used to reproduce it.
Pre-Requirement:

Resin must be configured with an SSL Port, such as

      <http port="8443">
        <jsse-ssl>
          <key-store-type>jks</key-store-type>
          <key-store-file>conf/keys/server.keystore</key-store-file>
          <password>changeit</password>
        </jsse-ssl>
       </http>

from http://caucho.com/resin-3.1/doc/resin-security.xtp#Create [^] a test server certificate
Attached Files  test-secure.war [^] (1,810 bytes) 02-09-09 12:59

- Relationships

- Notes
(0003891)
ferg
03-18-09 12:14

server/1ai0
 

- Issue History
Date Modified Username Field Change
02-09-09 12:59 stbu New Issue
02-09-09 12:59 stbu File Added: test-secure.war
02-09-09 12:59 stbu Issue Monitored: stbu
03-18-09 12:14 ferg Note Added: 0003891
03-18-09 12:14 ferg Assigned To  => ferg
03-18-09 12:14 ferg Status new => closed
03-18-09 12:14 ferg Resolution open => fixed
03-18-09 12:14 ferg Fixed in Version  => 4.0.0


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
31 total queries executed.
26 unique queries executed.
Powered by Mantis Bugtracker