开发者

how to bypass through Java EE security roles

开发者 https://www.devze.com 2023-02-10 05:01 出处:网络
Here is the example code from my web.xml <security-constraint&g开发者_如何学运维t; <display-name>

Here is the example code from my web.xml

<security-constraint&g开发者_如何学运维t;
    <display-name>
    change password</display-name>
    <web-resource-collection>
        <web-resource-name>change password</web-resource-name>
        <url-pattern>/ResetPassword.html</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>Roles which can access landing page</description>
        <role-name>Admin</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint> 

Only user having role "Admin" can access "ResetPassword.html" page.

There is a Java EE API that lets us to test whether current user has access to a specific role or not.

request.isUserInRole("Admin");

My default user "DefUser" is returning false because he has no role assigned and I got 403 error as DefUser cannot asscess "ResetPassword.html" page. Can I make request.isUserInRole("Admin") return true if I login with DefUser? Is there any other way to do it?

I do want to use the security constraints. This is one of the requirements that there could be a user like "DefUser" which should have permission to all pages having no roles assigned to it.

I just want to bypass these security constraints. Is there any way for "DefUser" to access "ResetPassword.html" page?

http://www.imrantariq.com/blog/


Java EE security cannot be by-passed. Otherwise, it would be as useful as a chocolate teapot.


Deploy your application to an application server. Go to the application server's administration and assign your DefUser to the role Admin. If you have other roles, assign your DefUser to those roles as well.

There you go. No bypass required.


Not sure about web.xml, but at least with security annotations on EJBs, if I remember correctly, you can configure each service either to be accessible:

  • by any user
  • by any authenticated user
  • by specific roles
0

精彩评论

暂无评论...
验证码 换一张
取 消