axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jens Schumann (JIRA)" <j...@apache.org>
Subject [jira] Commented: (AXIS2-580) Admin Console Security does not work at all
Date Mon, 17 Apr 2006 17:28:18 GMT
    [ http://issues.apache.org/jira/browse/AXIS2-580?page=comments#action_12374787 ] 

Jens Schumann commented on AXIS2-580:
-------------------------------------

While it is important to fix this issue ASAP it would be better to go for AXIS2-581.

> Admin Console Security does not work at all
> -------------------------------------------
>
>          Key: AXIS2-580
>          URL: http://issues.apache.org/jira/browse/AXIS2-580
>      Project: Apache Axis 2.0 (Axis2)
>         Type: Bug

>   Components: Tools
>     Versions: 0.95
>     Reporter: Jens Schumann
>     Priority: Blocker

>
> (copy and paste from http://marc.theaimsgroup.com/?l=axis-dev&m=114528552707863&w=2
)
> The current admin console security implementation contains several security flaws:
> - The security checks itself seem to happen in the VIEW only. After
> the action was processed. So if I am not mistaken I can manually create the
> admin URLs and deactivate services and so on. (Getting a rendering error of
> course afterwards) 
> - One could argue that in a production environment you will not enable the
> AdminServlet. However it seems that the current AxisServlet doGet
> implementation will forward processing to the ListingAgent if there is no
> Soap Request. Which in turn means that I can disable services without
> knowing the username/password.
> To test the bug just deploy axis2.war and request the following URL. http://localhost:8080/axis2/inActivateService?axisService=version&turnoff=on&submit=+In-activate+
. version will be deactivated afterwards.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message