geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Wilkins <gr...@mortbay.com>
Subject Realmless security. Was: Release 1.0 New Build Available
Date Sun, 18 Dec 2005 22:45:43 GMT
Aaron Mulder wrote:
> Well it appears that Tomcat and Jetty handle this situation
> differently (Tomcat: all secure pages locked down, Jetty: all secure
> pages accessible to anybody), which is *definitely* a bug...

If Jetty is not given a realm, but is given security constraints for a 
resources, it returns a "500 configuration error".   So the Jetty plugin 
must either be giving Jetty a realm or not giving it the security
constraints.

>From a quick look at JettyModuleBuilder, I think the security
constraints are not being built if there is no security realm name.

> But really, if the user put security settings in their web.xml, then
> clearly they're expecting security to be applied.  If we disable all
> security because they missed a deployment plan or a deployment plan
> setting, then I think that's a huge security problem.  Gnerally
> speaking, I think it's always best to fail to a more secure state, not
> to fail to an "anybody authorized for anything" state.  That's
> certainly the behavior you'd expect from your bank.

I agree - but then 1.0 is not going to be a real production release.
I really think it should be called a 1.0RC.

But anyway... I'm out for a few hours and if David has not fixed this by then,
I'll work on a fix for trunk and we can then decide if that makes it for 1.0

cheers

Mime
View raw message