Re: HOWTO: the right way to configure security constraints to protect CGI scripts in web.xml

[Justin Chen]

Hi,

Per jsp-url per servlet is never on the menu.

The difference between CGI Servlet and JSP Servlet is the script file search 
mechanism. e.g. two requests, "/xxx/update" and "/xxx/update/abc" are mapping 
into two different JSP script files if ruled by JSP Servlet. Unfortunately,  
the different requests are mapping to the same CGI script file if ruled by CGI 
Servlet and /xxx/update lookup succeeded.

For those cgi part, suggest enhance url-pattern ("/cgi-bin/update" + 
"/cgi-bin/update/*") for each specific security-constraint, e.g.:
```xml
<security-constraint>
<web-resource-collection>
<web-resource-name>admin-stuff</web-resource-name>
<url-pattern>/cgi-bin/update</url-pattern>
<url-pattern>/cgi-bin/update/*</url-pattern>    <!-- CGI: refer to same cgi 
script with above "/cgi-bin/update" -->
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
```

Full web.xml for reference:
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns="https://jakarta.ee/xml/ns/jakartaee";
xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee 
https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd";
id="WebApp_ID" version="6.0">
<display-name>sec-lab</display-name>
<servlet>
<servlet-name>cgi</servlet-name>
<servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
<init-param>
<param-name>cgiPathPrefix</param-name>
<param-value>/WEB-INF/cgi</param-value>
</init-param>
<init-param>
<param-name>executable</param-name>
<param-value>C:\Perl\strawberry\perl\bin\perl.exe</param-value>
</init-param>
<load-on-startup>5</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>cgi</servlet-name>
<url-pattern>/cgi-bin/*</url-pattern>
</servlet-mapping>

<security-constraint>
<web-resource-collection>
<web-resource-name>CGI-protected-area</web-resource-name>
<url-pattern>/cgi-bin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>staff</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin-stuff</web-resource-name>
<url-pattern>/cgi-bin/update</url-pattern>
<url-pattern>/cgi-bin/update/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>biz-stuff</web-resource-name>
<url-pattern>/cgi-bin/updateOrder</url-pattern>
<url-pattern>/cgi-bin/updateOrder/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>biz</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SecurityLab</realm-name>
</login-config>
<security-role>
<description>The role is required to access cgi scripts</description>
<role-name>staff</role-name>
</security-role>
<security-role>
<description>The role is required to access administrative cgi 
scripts</description>
<role-name>admin</role-name>
</security-role>
<security-role>
<description>The role is required to access biz purpose cgi 
scripts</description>
<role-name>biz</role-name>
</security-role>
</web-app>

Chenjp

________________________________
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Thursday, April 10, 2025 2:22
To: users@tomcat.apache.org <users@tomcat.apache.org>
Subject: Re: HOWTO: the right way to configure security constraints to protect 
CGI scripts in web.xml

Mark,

On 4/8/25 5:40 PM, Mark Thomas wrote:
> 8 Apr 2025 21:45:50 Christopher Schultz <ch...@christopherschultz.net>:
>
>> Justin,
>>
>> On 4/8/25 3:16 AM, Justin Chen wrote:
>>> Dear users and supporters,
>>> Currently I have two CGI scripts:
>>> 1. "/cgi-bin/update" //an administrative command, required role="admin"
>>> 2. "/cgi-bin/updateOrder" //update order, required role="biz"
>>> In order to protect above endpoints via web.xml security-constraints
>>> mechanism, how shall I do?
>>
>> It should be as simple as this in your web.xml:
>
> Whether the below is correct depends on how the CGI Servlet is mapped.
> And the OP hasn't provided that information.

+1

I first wrote, then deleted three paragraphs on that exact topic before
sending my reply. I didn't want to go into too much detail because it
really depends upon the use case.

The best thing to do is declare exactly one CGI script per url-pattern,
then match all security constraints matching each of those url-patterns.

-chris


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org