Security Hole?

As refered in a previous post there it’s not possible to protect access to nonXml documents called using plain URL’s. This problem stated in version 1.2.1.5 does not look to be solved in version 2.3.1.4.
It looks as if the only way to restrict access to nonXml documents is by playing with the apache configuration. Quite painful.
I really hope to be wrong but the hole looks much bigger, it looks as if tamino security does not get involved whenever you try to access any information with a plain URL’s.
Trying to explain myself.
Having a xml object:



Stored in the AllUsers collection.
Access to the info in the form
<A HREF=“http://localhost/…/AllUser?_xql=ApplUser[@ino:id=“1”]” TARGET=_blank>http://localhost/…/AllUser?_xql=ApplUser[@ino:id=“1”]
can be protected by the ino:security collection, but read access is ALWAYS GRANTED for calls in the form
http://localhost/…/AllUser/ApplUser/@1
This work’s for nonXml an XML object’s!!!
Ok, this can be solved by apache policies but then i find reasonable to give 25% of tamino fees to apache.
I will really apreciate anyone’s answer who could confirm that i am completly wrong.
Thanks.

I tried it myself and everything was OK in 2.3.1.4

Here is my security info (ino:security)

<ino:user ino:id=“1” ino:userid=“user” xmlns:ino=“http://namespaces.softwareag.com/tamino” />
<ino:user ino:id=“2” ino:userid=“guest” xmlns:ino=“http://namespaces.softwareag.com/tamino” />
- <ino:group ino:id=“1” ino:groupname=“group” xmlns:ino=“http://namespaces.softwareag.com/tamino”>
ino:userrefuser</ino:userref>
ino:aclrefread documents</ino:aclref>
</ino:group>
- <ino:group ino:id=“2” ino:groupname=“guests” xmlns:ino=“http://namespaces.softwareag.com/tamino”>
ino:userrefguest</ino:userref>
ino:aclrefno access</ino:aclref>
</ino:group>
- <ino:acl ino:id=“2” ino:aclname=“read documents” xmlns:ino=“http://namespaces.softwareag.com/tamino”>
<ino:ace ino:access=“read”>test/document</ino:ace>
</ino:acl>
- <ino:acl ino:id=“1” ino:aclname=“no access” xmlns:ino=“http://namespaces.softwareag.com/tamino”>
<ino:ace ino:access=“no”>test/document</ino:ace>
</ino:acl>

The request was http://server/tamino/database/test/document/@1

I got the XML document when I logged as “user”.
And when I logged as “guest”, the error “HTTP 400 - Bad Request” appeared.

So check your sample again.

By the way I think there is no problem with nonXML documents as well, though I have not tried it yet.

[This message was edited by Alexander on 07 Oct 2001 at 10:08.]

I am happy to hear that Alexander.
I checked carefully again our schemas. users, groups, acl’s, apache configuration and so on. Everything is ok and we keep having the same problem but… I thought we where runing the 2.3.1.4 and we are not, we are in 2.3.1.1. From your email it looks as if the problem is solved in the newest version.

Thanks.
Gorka.

I’ve been confirmed from Software AG support that this problem exists in versions older than 2.3.1.4 (windows) and 2.3.1.2 (Solaris).
Gorka.

Sorry. What do you mean it still exists? With nonXML objects?

Hello Alexander.
The problem was that plain URL calls as
http://server/tamino/database/collection/document/@1
are not chequed against the tamino security policies in the dispatcher. This happens for Xml and nonXml documents. The result is that any user granted by the web server has read access over the complete database.

I have been told that this bug has been solved in Tamino Versions 2.3.1.4 for Windows and 2.3.1.2 for Solaris.
Hope this anwer your question.
Gorka.