geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder (JIRA)" <...@geronimo.apache.org>
Subject [jira] Created: (GERONIMO-1384) Web app with no Geronimo plan makes all secure pages insecure
Date Sun, 18 Dec 2005 19:09:36 GMT
Web app with no Geronimo plan makes all secure pages insecure
-------------------------------------------------------------

         Key: GERONIMO-1384
         URL: http://issues.apache.org/jira/browse/GERONIMO-1384
     Project: Geronimo
        Type: Bug
  Components: web, security  
    Versions: 1.0-M5    
    Reporter: Aaron Mulder
    Priority: Blocker
     Fix For: 1.0


If you deploy a web application with certain pages/URLs protected by a login, but you don't
include a Geronimo deployment plan, all those pages/URLs are unprotected.  To replicate:

Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to
"secure" and "forbidden".  Both links work, with no login prompt.  Instead, you should get
a login prompt and (since no realm was configured) all logins should fail.

The web.xml in this case contains:

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Admin Role</web-resource-name>
        <url-pattern>/protect/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>content-administrator</role-name>
      </auth-constraint>
    </security-constraint>
    
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>No Access</web-resource-name>
        <url-pattern>/forbidden/*</url-pattern>
      </web-resource-collection>
      <auth-constraint/>
    </security-constraint>

    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>MYREALM</realm-name>
      <form-login-config>
         <form-login-page>/auth/logon.html?param=test</form-login-page>
         <form-error-page>/auth/logonError.html?param=test</form-error-page>
      </form-login-config>
    </login-config>

  <security-role>
      <role-name>content-administrator</role-name>
  </security-role>


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message