Mantis Bugtracker
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0003333 [Resin] trivial always 02-09-09 12:59 03-18-09 12:14
Reporter stbu View Status public  
Assigned To ferg
Priority normal Resolution fixed  
Status closed   Product Version 3.1.9
Summary 0003333: Snapshot 3.1.s090206: <secure/> cause ignoring of login-config and security-constraint
Description When <secure/> is specified in a <web-app>, the configured BASIC Authentication is not applied.
When a non SSL Request is performed, Resin will respond with 403 Forbidden.
But when an SSL Request is performed, the application is accessable without authentication.

The documentation http://caucho.com/resin-3.1/doc/webapp-tags.xtp#secure [^] contains:
The <secure> flag requires that the web-app only be accessed in a secure/SSL mode. Equivalent to a <security-constraint>.

But this does not imply that <login-config> and other <security-constraint> is ignored, right? Maybe I just don't understand that part of the documentation, but that behavior was not expected.

However, I prefer to use
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
This is similar to <secure/>, but the Authentication is still requested.
Additional Information My testcase is using a simple resin-web.xml, here is the content.


<web-app xmlns="http://caucho.com/ns/resin" [^]
         xmlns:resin="http://caucho.com/ns/resin/core"> [^]

  <!--
     - http://caucho.com/resin-3.1/doc/webapp-tags.xtp#secure [^]
     - The <secure> flag requires that the web-app only be accessed
     - in a secure/SSL mode. Equivalent to a <security-constraint>.
  -->
  <secure/>
  <!--
     - When <secure/> is specified, the following BASIC Authentication
     - is not applied. When the request is an SSL request, the
     - Application is served.
     -
     - Comment out <secure/> and the SSL request will require the
     - Authentication.
  -->

  <login-config auth-method="basic"/>
  <authenticator type="com.caucho.server.security.XmlAuthenticator">
    <init>
      <path>WEB-INF/password.xml</path>
    </init>
  </authenticator>
  <security-constraint>
    <auth-constraint role-name='mytest'/>
    <web-resource-collection>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
  </security-constraint>

</web-app>


The attached WAR can be used to reproduce it.
Pre-Requirement:

Resin must be configured with an SSL Port, such as

      <http port="8443">
        <jsse-ssl>
          <key-store-type>jks</key-store-type>
          <key-store-file>conf/keys/server.keystore</key-store-file>
          <password>changeit</password>
        </jsse-ssl>
       </http>

from http://caucho.com/resin-3.1/doc/resin-security.xtp#Create [^] a test server certificate
Attached Files  test-secure.war [^] (1,810 bytes) 02-09-09 12:59

- Relationships

- Notes
(0003891)
ferg
03-18-09 12:14

server/1ai0
 

- Issue History
Date Modified Username Field Change
02-09-09 12:59 stbu New Issue
02-09-09 12:59 stbu File Added: test-secure.war
02-09-09 12:59 stbu Issue Monitored: stbu
03-18-09 12:14 ferg Note Added: 0003891
03-18-09 12:14 ferg Assigned To  => ferg
03-18-09 12:14 ferg Status new => closed
03-18-09 12:14 ferg Resolution open => fixed
03-18-09 12:14 ferg Fixed in Version  => 4.0.0


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
31 total queries executed.
26 unique queries executed.
Powered by Mantis Bugtracker