axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jens Schumann (JIRA)" <>
Subject [jira] Commented: (AXIS2-580) Admin Console Security does not work at all
Date Tue, 18 Apr 2006 08:27:18 GMT
    [ ] 

Jens Schumann commented on AXIS2-580:

Looks like its being fixed. But don't get me wrong - this is just an Axis2 1.0 Release hack.
Isn't it;)

> Admin Console Security does not work at all
> -------------------------------------------
>          Key: AXIS2-580
>          URL:
>      Project: Apache Axis 2.0 (Axis2)
>         Type: Bug

>   Components: Tools
>     Versions: 0.95
>     Reporter: Jens Schumann
>     Priority: Blocker

> (copy and paste from
> The current admin console security implementation contains several security flaws:
> - The security checks itself seem to happen in the VIEW only. After
> the action was processed. So if I am not mistaken I can manually create the
> admin URLs and deactivate services and so on. (Getting a rendering error of
> course afterwards) 
> - One could argue that in a production environment you will not enable the
> AdminServlet. However it seems that the current AxisServlet doGet
> implementation will forward processing to the ListingAgent if there is no
> Soap Request. Which in turn means that I can disable services without
> knowing the username/password.
> To test the bug just deploy axis2.war and request the following URL. http://localhost:8080/axis2/inActivateService?axisService=version&turnoff=on&submit=+In-activate+
. version will be deactivated afterwards.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message