JAAS authentication bypass
Description
This vulnerability occurs when Java Authentication and Authorization Service (JAAS) security constraints are improperly configured in web applications. JAAS is Java's implementation of the Pluggable Authentication Module (PAM) framework, designed to manage authentication and authorization independently from application code.
A common misconfiguration involves defining security constraints for only specific HTTP methods (such as GET and POST) while leaving other methods (such as HEAD, PUT, or DELETE) unprotected. When security constraints specify individual HTTP methods, any methods not explicitly listed remain accessible without authentication, allowing attackers to bypass authentication controls entirely by using alternative HTTP methods to access protected resources.
Remediation
Remove all <code><http-method></code> elements from your <code><security-constraint></code> definitions in the web.xml deployment descriptor. When no HTTP methods are explicitly specified, the security constraint automatically applies to all HTTP methods, preventing bypass attacks.<br/><br/><strong>Vulnerable Configuration:</strong><pre><security-constraint> <web-resource-collection> <web-resource-name>Admin area</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> </auth-constraint> </security-constraint></pre><strong>Secure Configuration:</strong><pre><security-constraint> <web-resource-collection> <web-resource-name>Admin area</web-resource-name> <url-pattern>/admin/*</url-pattern> <!-- No http-method elements - applies to ALL methods --> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> </auth-constraint> </security-constraint></pre>After making this change, redeploy your application and verify that all HTTP methods (GET, POST, HEAD, PUT, DELETE, etc.) properly enforce authentication for protected resources.