geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder (JIRA)" <>
Subject [jira] Updated: (GERONIMO-1384) Web app with no Geronimo plan makes all secure pages insecure
Date Sun, 18 Dec 2005 22:54:34 GMT
     [ ]

Aaron Mulder updated GERONIMO-1384:

    Attachment: security-reject.patch

security-reject.patch is a first step where Jetty will refuse to deploy a web app including
security settings if there is no Geronimo plan or a Geronimo plan that does not include security
settings.  At least this way we don't have a situation where a user expects security but none
is applied.

I hope we'll later provide a "better" fix to have Jetty use a default realm with no principals
in it so that security is applied but no logins work (so all secure pages are just inaccessible)

> Web app with no Geronimo plan makes all secure pages insecure
> -------------------------------------------------------------
>          Key: GERONIMO-1384
>          URL:
>      Project: Geronimo
>         Type: Bug
>   Components: web, security
>     Versions: 1.0-M5
>     Reporter: Aaron Mulder
>     Priority: Blocker
>      Fix For: 1.0
>  Attachments: security-reject.patch
> If you deploy a web application with certain pages/URLs protected by a login, but you
don't include a Geronimo deployment plan, all those pages/URLs are unprotected.  To replicate:
> Deploy this with no plan:
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links
to "secure" and "forbidden".  Both links work, with no login prompt.  Instead, you should
get a login prompt and (since no realm was configured) all logins should fail.
> The web.xml in this case contains:
>     <security-constraint>
>       <web-resource-collection>
>         <web-resource-name>Admin Role</web-resource-name>
>         <url-pattern>/protect/*</url-pattern>
>       </web-resource-collection>
>       <auth-constraint>
>         <role-name>content-administrator</role-name>
>       </auth-constraint>
>     </security-constraint>
>     <security-constraint>
>       <web-resource-collection>
>         <web-resource-name>No Access</web-resource-name>
>         <url-pattern>/forbidden/*</url-pattern>
>       </web-resource-collection>
>       <auth-constraint/>
>     </security-constraint>
>     <login-config>
>       <auth-method>FORM</auth-method>
>       <realm-name>MYREALM</realm-name>
>       <form-login-config>
>          <form-login-page>/auth/logon.html?param=test</form-login-page>
>          <form-error-page>/auth/logonError.html?param=test</form-error-page>
>       </form-login-config>
>     </login-config>
>   <security-role>
>       <role-name>content-administrator</role-name>
>   </security-role>

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message