Acegi Plugin

Annotation based security is easy to bypass by adding ".html' to the URL

Details

  • Type: Bug Bug
  • Status: Reopened Reopened
  • Priority: Major Major
  • Resolution: Unresolved
  • Affects Version/s: Grails-Acegi 0.5
  • Fix Version/s: None
  • Labels:
    None
  • Environment:
    grails-acegi 0.5.2, grails 1.1.2

Description

http://www.grails.org/AcegiSecurity+Plugin+-+Securing+URLs describes that adding a dot, or .html to a URL
bypasses acegi security. For example, if I secure a URL:

http://localhost:8080/project/test

but browse to

http://localhost:8080/project/test.html

the latter URL will NOT be secured by the acegi plugin.

It also describes, that "this will be fixed in Grails 1.1" and "either use annotations or double-map these entries" will solve the problem.

However, using Annotations suffers exactly the same problem.

The following controller:

import org.codehaus.groovy.grails.plugins.springsecurity.Secured

class TestController {

@Secured(['ROLE_ADMIN'])
def index =

{ render text: "this page should be secured" }

}

cannot be reached using /test/index, but CAN be used using /test/index.html.

This is a serious security problem. If the bug cannot be fixed, at least the documentation of the Spring security plugin should mention that you should not use annotation based configuration at all, or it should describe a proper work around.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Burt Beckwith added a comment - - edited

This isn't the same issue as the one you reference, that was fixed in 1.1. This has to do with Content Negotiation, see http://grails.org/doc/latest/guide/6.%20The%20Web%20Layer.html#6.8%20Content%20Negotiation

The fix is to change

grails.mime.file.extensions = true

to

grails.mime.file.extensions = false

in Config.groovy.

I'll add a note in the documentation about this.

Show
Burt Beckwith added a comment - - edited This isn't the same issue as the one you reference, that was fixed in 1.1. This has to do with Content Negotiation, see http://grails.org/doc/latest/guide/6.%20The%20Web%20Layer.html#6.8%20Content%20Negotiation The fix is to change grails.mime.file.extensions = true to grails.mime.file.extensions = false in Config.groovy. I'll add a note in the documentation about this.
Hide
Permalink
Michel Vollebregt added a comment -

In grails security plugin 1.0.1 this still hasn't been resolved. Think of all the people plugging and playing the plug in, without knowing this issue, who think they have a secure website, but in fact have not.

This is really not acceptable for a plugin that pretends to add "security" to your application.

Show
Michel Vollebregt added a comment - In grails security plugin 1.0.1 this still hasn't been resolved. Think of all the people plugging and playing the plug in, without knowing this issue, who think they have a secure website, but in fact have not. This is really not acceptable for a plugin that pretends to add "security" to your application.
Hide
Permalink
Gavin Kromhout added a comment -

Well that sux, there I was claiming that our web application was secured. Suggested work around applied and tests ok. Plugin online docs updated: http://grails.org/AcegiSecurity+Plugin+-+Service+Method+Security.

Do we know if this affects spring-security-core since we should be upgrading to that?

Show
Gavin Kromhout added a comment - Well that sux, there I was claiming that our web application was secured. Suggested work around applied and tests ok. Plugin online docs updated: http://grails.org/AcegiSecurity+Plugin+-+Service+Method+Security . Do we know if this affects spring-security-core since we should be upgrading to that?

People

  • Assignee:
    Burt Beckwith
    Reporter:
    Michel Vollebregt
Vote (1)
Watch (1)

Dates

  • Created:
    Updated: