Mantis - Resin
Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3333 trivial always 02-09-09 12:59 03-18-09 12:14
Reporter: stbu Platform:  
Assigned To: ferg OS:  
Priority: normal OS Version:  
Status: closed Product Version: 3.1.9  
Product Build: Resolution: fixed  
Projection: none      
ETA: none Fixed in Version: 4.0.0  
Summary: 0003333: Snapshot 3.1.s090206: <secure/> cause ignoring of login-config and security-constraint
Description: When <secure/> is specified in a <web-app>, the configured BASIC Authentication is not applied.
When a non SSL Request is performed, Resin will respond with 403 Forbidden.
But when an SSL Request is performed, the application is accessable without authentication.

The documentation http://caucho.com/resin-3.1/doc/webapp-tags.xtp#secure [^] contains:
The <secure> flag requires that the web-app only be accessed in a secure/SSL mode. Equivalent to a <security-constraint>.

But this does not imply that <login-config> and other <security-constraint> is ignored, right? Maybe I just don't understand that part of the documentation, but that behavior was not expected.

However, I prefer to use
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
This is similar to <secure/>, but the Authentication is still requested.
Steps To Reproduce:
Additional Information: My testcase is using a simple resin-web.xml, here is the content.


<web-app xmlns="http://caucho.com/ns/resin" [^]
         xmlns:resin="http://caucho.com/ns/resin/core"> [^]

  <!--
     - http://caucho.com/resin-3.1/doc/webapp-tags.xtp#secure [^]
     - The <secure> flag requires that the web-app only be accessed
     - in a secure/SSL mode. Equivalent to a <security-constraint>.
  -->
  <secure/>
  <!--
     - When <secure/> is specified, the following BASIC Authentication
     - is not applied. When the request is an SSL request, the
     - Application is served.
     -
     - Comment out <secure/> and the SSL request will require the
     - Authentication.
  -->

  <login-config auth-method="basic"/>
  <authenticator type="com.caucho.server.security.XmlAuthenticator">
    <init>
      <path>WEB-INF/password.xml</path>
    </init>
  </authenticator>
  <security-constraint>
    <auth-constraint role-name='mytest'/>
    <web-resource-collection>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
  </security-constraint>

</web-app>


The attached WAR can be used to reproduce it.
Pre-Requirement:

Resin must be configured with an SSL Port, such as

      <http port="8443">
        <jsse-ssl>
          <key-store-type>jks</key-store-type>
          <key-store-file>conf/keys/server.keystore</key-store-file>
          <password>changeit</password>
        </jsse-ssl>
       </http>

from http://caucho.com/resin-3.1/doc/resin-security.xtp#Create [^] a test server certificate
Relationships
Attached Files:  test-secure.war [^] (1,810 bytes) 02-09-09 12:59

Notes
(0003891)
ferg   
03-18-09 12:14   
server/1ai0