RDF4J security nor working as expected

[volkerjaenisch]

Dear RDF4J!

Currently I am working on an open source Python RDF4J Connector, utilizing the REST_API to bring RDF4J to the Python world. Writing tests to check for security issues I stumbled over the following.

I am not a Java developer and therefore a bloody beginner with tomcat security. I am sure I did a configuration error.

I added the following security constraints to the web.xml file of the RDF4J server:

    <!-- admin Role -->
    <security-role>
        <description>
            The role that is required to access the RDF4J server configuration
        </description>
        <role-name>rdf4j-admin</role-name>
    </security-role>

    <!-- viewer Role -->
    <security-role>
        <description>
            Read only access to repository data
        </description>
        <role-name>rdf4j-viewer</role-name>
    </security-role>

    <!-- editor Role -->
    <security-role>
        <description>
            Read/write access to repository data
        </description>
        <role-name>rdf4j-editor</role-name>
    </security-role>

    <!-- Reading repositories only for rdf4j-admin-->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>repositories</web-resource-name>
            <url-pattern>/repositories</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>rdf4j-admin</role-name>
        </auth-constraint>
    </security-constraint>

    <!-- Viewer contraints for reading repositories -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>SPARQL query access to the 'datenadler' repositories</web-resource-name>
            <url-pattern>/repositories/datenadler_*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>rdf4j-viewer</role-name>
            <role-name>rdf4j-editor</role-name>
        </auth-constraint>
    </security-constraint>

    <!-- Editor contraints for writing to repositories -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>SPARQL query access to the 'datenadler' repositories</web-resource-name>
            <url-pattern>/repositories/datenadler_*</url-pattern>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>rdf4j-editor</role-name>
        </auth-constraint>
    </security-constraint>

    <!-- SYSTEM contraints for manipulating repositotries -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>config</web-resource-name>
            <url-pattern>/repositories/SYSTEM</url-pattern>
            <url-pattern>/repositories/SYSTEM/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>rdf4j-admin</role-name>
        </auth-constraint>
    </security-constraint>

With these constraints I expected for instance that a user with the rdf4j-viewer role cannot drop a repository. The drop operation has to use the HTTP-Delete Method, which is only allowed for the rdf4j-admin role.

But nevertheless the viewer with role rdf4j-viewer is able to drop a repository.

Is there a way to introspect/audit the security constraints in tomcat?
Were can I set a default policy for all URIs in tomcat?

Any help appreciated

Volker

[barthanssens]

Not a Tomcat expert either, but perhaps

        <web-resource-collection>
            <web-resource-name>config</web-resource-name>
            <url-pattern>/repositories/SYSTEM</url-pattern>
            <url-pattern>/repositories/SYSTEM/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>rdf4j-admin</role-name>
        </auth-constraint>

should have another url-pattern:

        <web-resource-collection>
            <web-resource-name>config</web-resource-name>
            <url-pattern>/repositories/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>rdf4j-admin</role-name>
        </auth-constraint>

And perhaps also check if the endpoint really is /repositories (could also be /rdf4j-server/repositories)

I assume there is also a login-config somewhere in the web.xml ?

Hope this helps

Bart

[barthanssens]

Hmz, never mind the url-pattern, my bad, your example seems correct

But check if the endpoint is /repositories (instead of e.g. /rdf4j-server/repositories), and the login-config is configured.

[volkerjaenisch]

@barthanssens
Thank you for the fast answers!

At first I facepalmed myself. Sure the URL-Patterns are starting at /repositories and not at /rdf4j-server/repositories.
So I changed the patterns. But my initial config was correct.
From this log message

Suspicious URL pattern: [/repositories/datenadler_*] in context [/rdf4j-server], see sections 12.1 and 12.2 of the Servlet specification
I can conclude that the current context is /rdf4j-server and therefore my initial config is indeed not complete bullshit.

If I intentionally damage a tag in the security specification I am rewarded with an error message in the log, so I am quite sure that the web.xml I am using is the one which is loaded by tomcat.

BTW I see the following stacktrace concerning lockback in the logfile. But I do not expect a logging problem to interfere with HTTP-Security.

So I am not the wiser. Any further Ideas? Or may someone please be so kind and try to reproduce my findings. Maybe it really is a bug.

For completeness I attach my complete web.xml
web.xml.zip
web.xml.zip
.

Cheers,
Volker

2021-07-08 17:25:52] [info] 17:25:52,548 |-ERROR in ch.qos.logback.core.joran.spi.Interpreter@8:76 - ActionException in Action for tag [appender] ch.qos.logback.core.joran.spi.ActionException: ch.qos.logback.core.util.DynamicClassLoadingException: Failed to instantiate type org.apache.log4j.RollingFileAppender
[2021-07-08 17:25:52] [info] #011at ch.qos.logback.core.joran.spi.ActionException: ch.qos.logback.core.util.DynamicClassLoadingException: Failed to instantiate type org.apache.log4j.RollingFileAppender
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.joran.action.AppenderAction.begin(AppenderAction.java:76)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.joran.spi.Interpreter.callBeginAction(Interpreter.java:269)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.joran.spi.Interpreter.startElement(Interpreter.java:145)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.joran.spi.Interpreter.startElement(Interpreter.java:128)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.joran.spi.EventPlayer.play(EventPlayer.java:50)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.joran.GenericConfigurator.doConfigure(GenericConfigurator.java:165)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.joran.GenericConfigurator.doConfigure(GenericConfigurator.java:152)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.joran.GenericConfigurator.doConfigure(GenericConfigurator.java:110)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.joran.GenericConfigurator.doConfigure(GenericConfigurator.java:53)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.classic.util.ContextInitializer.configureByResource(ContextInitializer.java:75)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.classic.util.ContextInitializer.autoConfig(ContextInitializer.java:150)
[2021-07-08 17:25:52] [info] #011at #011at org.slf4j.impl.StaticLoggerBinder.init(StaticLoggerBinder.java:84)
[2021-07-08 17:25:52] [info] #011at #011at org.slf4j.impl.StaticLoggerBinder.<clinit>(StaticLoggerBinder.java:55)
[2021-07-08 17:25:52] [info] #011at #011at org.slf4j.LoggerFactory.bind(LoggerFactory.java:150)
[2021-07-08 17:25:52] [info] #011at #011at org.slf4j.LoggerFactory.performInitialization(LoggerFactory.java:124)
[2021-07-08 17:25:52] [info] #011at #011at org.slf4j.LoggerFactory.getILoggerFactory(LoggerFactory.java:417)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.classic.util.StatusViaSLF4JLoggerFactory.addStatus(StatusViaSLF4JLoggerFactory.java:32)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.classic.util.StatusViaSLF4JLoggerFactory.addInfo(StatusViaSLF4JLoggerFactory.java:20)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.classic.servlet.LogbackServletContainerInitializer.onStartup(LogbackServletContainerInitializer.java:32)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5135)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:690)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:705)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1132)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1866)
[2021-07-08 17:25:52] [info] #011at #011at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
[2021-07-08 17:25:52] [info] #011at #011at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
[2021-07-08 17:25:52] [info] #011at #011at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:1044)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:429)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1575)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
[2021-07-08 17:25:52] [info] #011at #011at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
[2021-07-08 17:25:52] [info] #011at #011at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:140)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
[2021-07-08 17:25:52] [info] #011at #011at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2021-07-08 17:25:52] [info] #011at #011at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[2021-07-08 17:25:52] [info] #011at #011at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2021-07-08 17:25:52] [info] #011at #011at java.base/java.lang.reflect.Method.invoke(Method.java:566)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
[2021-07-08 17:25:52] [info] #011at #011at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)
[2021-07-08 17:25:52] [info] Caused by: ch.qos.logback.core.util.DynamicClassLoadingException: Failed to instantiate type org.apache.log4j.RollingFileAppender
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.util.OptionHelper.instantiateByClassNameAndParameter(OptionHelper.java:69)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.util.OptionHelper.instantiateByClassName(OptionHelper.java:45)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.util.OptionHelper.instantiateByClassName(OptionHelper.java:34)
[2021-07-08 17:25:52] [info] #011at #011at ch.qos.logback.core.joran.action.AppenderAction.begin(AppenderAction.java:52)
[2021-07-08 17:25:52] [info] #011at #011... 58 common frames omitted

[volkerjaenisch]

I am replying to myself.

I am not really sure what the error was, but now I get 403 (Access denied) errors as expected. I suspect that systemd f***ed with me. The only change I did was doing tomcat stop/start instead of restart. Probably restart does not really load the changed configuration. I will have to investigate this nasty behavior and change it to a more reasonable behavior.

Sorry for having bothered you, for nothing.

Cheers,
Volker

[barthanssens]

Ah no problem, glad you were able to solve it