Bug 920160
| Summary: | Unauthorized access to a web application protected with a custom authorization module results in HTTP 200 (OK) instead of HTTP 403 (Forbidden) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Josef Cacek <jcacek> | ||||
| Component: | Security | Assignee: | Emmanuel Hugonnet (ehsavoie) <ehugonne> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Josef Cacek <jcacek> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.1.0 | CC: | asaldhan, ehugonne, jlivings, olukas, pskopek, rdickens | ||||
| Target Milestone: | ER3 | ||||||
| Target Release: | EAP 6.2.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
In JBoss EAP 6.1.0, unauthorized access to a web application protected with a custom authorization module resulted in an HTTP response of 200 (OK) instead of HTTP 403 (Forbidden). This issue has been resolved and the correct response is now provided.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-12-15 16:18:05 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Josef Cacek
2013-03-11 13:28:13 UTC
Stacktrace printed when DEBUG level is enabled: 14:14:07,550 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000299: Required module org.jboss.security.authorization.modules.AllDenyAuthorizationModule failed 14:14:07,556 DEBUG [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000326: hasUserDataPermission processing failed: org.jboss.security.authorization.AuthorizationException: PBOX000017: Acces denied: authorization failed at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:268) [picketbox-4.0.15.Final-redhat-1.jar:4.0.15.Final-redhat-1] at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:71) [picketbox-4.0.15.Final-redhat-1.jar:4.0.15.Final-redhat-1] at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:147) [picketbox-4.0.15.Final-redhat-1.jar:4.0.15.Final-redhat-1] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_11] at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:143) [picketbox-4.0.15.Final-redhat-1.jar:4.0.15.Final-redhat-1] at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:429) [picketbox-4.0.15.Final-redhat-1.jar:4.0.15.Final-redhat-1] at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:115) [picketbox-4.0.15.Final-redhat-1.jar:4.0.15.Final-redhat-1] at org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasUserDataPermission(WebAuthorizationHelper.java:268) [picketbox-4.0.15.Final-redhat-1.jar:4.0.15.Final-redhat-1] at org.jboss.as.web.security.JBossWebRealm.hasUserDataPermission(JBossWebRealm.java:625) [jboss-as-web-7.2.0.Final-redhat-2.jar:7.2.0.Final-redhat-2] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat-2.jar:7.2.0.Final-redhat-2] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1] at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_11] [vendredi 19 juillet 2013] [17:46:33] <ehsavoie> how/where does undertow delegates the access authorization ? I see the authentication part but not the authorization [vendredi 19 juillet 2013] [17:48:24] <darranl> ehsavoie, no Undertow authorization is based on roles defined in the deployment so it performs that check itself [vendredi 19 juillet 2013] [17:49:27] <ehsavoie> darranl: so how does it access the authorization plugin for the security domain ? [vendredi 19 juillet 2013] [17:50:01] <ehsavoie> darranl: somewhere it has to delegate [vendredi 19 juillet 2013] [17:51:06] <darranl> ehsavoie, not sure if that mapping is currently in, longer term the plan is to move away from the JAAS domains [vendredi 19 juillet 2013] [17:52:03] <ehsavoie> darranl: that means that https://bugzilla.redhat.com/show_bug.cgi?id=920160 is not relevant in wildfly ? [vendredi 19 juillet 2013] [17:52:08] <jbossbot> bugzilla [3JBoss Enterprise Application Platform 6 #920160] Unauthorized access to a web application protected with a custom authorization module results in HTTP 200 (OK) instead of HTTP 403 (Forbidden) [10NEW Bug,7 high,6 Anil Saldhana] https://bugzilla.redhat.com/show_bug.cgi?id=920160 [vendredi 19 juillet 2013] [17:52:42] <darranl> ehsavoie, correct https://github.com/ehsavoie/jboss-eap/tree/BZ-920160 is ready to fix this issue. Verified on 6.2.0.ER3 Release notes text written, to be published at EAP 6.2.0's GA. |