axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jens Schumann (JIRA)" <j...@apache.org>
Subject [jira] Created: (AXIS2-580) Admin Console Security does not work at all
Date Mon, 17 Apr 2006 17:18:19 GMT
Admin Console Security does not work at all
-------------------------------------------

         Key: AXIS2-580
         URL: http://issues.apache.org/jira/browse/AXIS2-580
     Project: Apache Axis 2.0 (Axis2)
        Type: Bug

  Components: Tools  
    Versions: 0.95    
    Reporter: Jens Schumann
    Priority: Blocker


(copy and paste from http://marc.theaimsgroup.com/?l=axis-dev&m=114528552707863&w=2
)
The current admin console security implementation contains several security flaws:

- The security checks itself seem to happen in the VIEW only. After
the action was processed. So if I am not mistaken I can manually create the
admin URLs and deactivate services and so on. (Getting a rendering error of
course afterwards) 
- One could argue that in a production environment you will not enable the
AdminServlet. However it seems that the current AxisServlet doGet
implementation will forward processing to the ListingAgent if there is no
Soap Request. Which in turn means that I can disable services without
knowing the username/password.

To test the bug just deploy axis2.war and request the following URL. http://localhost:8080/axis2/inActivateService?axisService=version&turnoff=on&submit=+In-activate+
. version will be deactivated afterwards.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message