|Title|Servlet named attach is overloaded
|Date|05-Dec-2004 20:02:30 EET
|Version|JSPWiki v2.0.52
|Submitter|ReinhardEngel
|Criticality|LightBug
|Browser version|Internet Explorer 6.0 SP1
|Status|ClosedBug
|[PageProvider] used|
|Servlet Container|Tomcat 5.0.19
|Operating System|Windows XP Pro
|URL|
|Java version|1.4.1 IBM Build cn141-20030516

! Servlet named "attach" is overloaded

The servlet named attach is overloaded to the point where security and access control become problematic.

At my sites, 
*Unregistered users are not allowed to view any pages
*There are two roles: editor and reader
*A reader can only view pages and download attachments
*An editor can do everything a reader can do plus edit pages and upload attachments
*All content is considered sensitive and protected by SSL.

At first, I just restricted Edit.jsp and Upload.jsp to editors.  Imagine my shock when my testers discovered that readers could replace attachments by using the form provided by the PageInfo.jsp.  This form invokes the attach servlet which is mapped to the AttachmentServlet.

To close this hole, I restricted attach and AttachmentServlet to editors as well, but this has a nasty side effect.  The attach servlet is used to download and in-line attachments as well.  By adding this restriction, I have made it impossible for readers to download attachments or see in-line pictures.

My software design experience makes me believe that overloading attach for both upload and download operations is a bad idea, as demonstrated by this unintended consequence.  Please consider using a command/action pattern where upload and download operations are implemented in separate servlets, sharing common code in an appropriate Java class under the covers.

Here are the security constraints that demonstrate the problem.

{{{
<security-constraint>
    <web-resource-collection>
        <web-resource-name>
            BaderWiki
        </web-resource-name>
        <url-pattern>
            *
        </url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>reader</role-name>
        <role-name>editor</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>
            CONFIDENTIAL
        </transport-guarantee>
    </user-data-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected Edit</web-resource-name>
        <url-pattern>/Edit.jsp</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <web-resource-collection>
        <web-resource-name>Protected Upload</web-resource-name>
        <url-pattern>/Upload.jsp</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <web-resource-collection>
        <web-resource-name>Protected Attach</web-resource-name>
        <url-pattern>/attach</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <web-resource-collection>
        <web-resource-name>Protected AttachmentServlet</web-resource-name>
        <url-pattern>/AttachmentServlet</url-pattern>
        <http-method>DELETE</http-method>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>editor</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>
            CONFIDENTIAL
        </transport-guarantee>
    </user-data-constraint>
</security-constraint>

<login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>BaderWiki Access Control</realm-name>
</login-config>
 <security-role>
    <description>
        Editors are allowed to edit wiki pages and upload attachments.
    </description>
    <role-name>
        editor
    </role-name>
</security-role>
<security-role>
    <description>
        Readers are allowed to only view wiki pages.
    </description>
    <role-name>
        reader
    </role-name>
</security-role>
}}}


[Lance D Bader|ldbader]

Oops, you're right.  This is a bit of a hassle, I agree.  I'll have to move the upload functionality somewhere else.

--JanneJalkanen

(moved from old BugReports)

What about resticting POST to the editor role, while allowing GET to the readers? Just an idea. -- [Jawe]

Yes, that should work nicely as a workaround, if you use this:
{{{
    <web-resource-collection>
        <web-resource-name>Protected Attach</web-resource-name>
        <url-pattern>/attach</url-pattern>
        <http-method>POST</http-method>
        <http-method>PUT</http-method>
    </web-resource-collection>
}}}

-- JanneJalkanen


----

Looks like 2.4.100 still uses the same AttachmentServlet for both downloading and uploading attachments......

--HarryMetske

--HarryMetske, 10-Mar-2007


----

Yes, and it's rather RESTish that way.  Esp. with the new AAA system, I think we don't have to do anything to this...

--JanneJalkanen, 12-Mar-2007