geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Mulder <ammul...@alumni.princeton.edu>
Subject Re: Release 1.0 New Build Available
Date Sun, 18 Dec 2005 20:52:57 GMT
Well it appears that Tomcat and Jetty handle this situation
differently (Tomcat: all secure pages locked down, Jetty: all secure
pages accessible to anybody), which is *definitely* a bug...

But really, if the user put security settings in their web.xml, then
clearly they're expecting security to be applied.  If we disable all
security because they missed a deployment plan or a deployment plan
setting, then I think that's a huge security problem.  Gnerally
speaking, I think it's always best to fail to a more secure state, not
to fail to an "anybody authorized for anything" state.  That's
certainly the behavior you'd expect from your bank.

Thanks,
    Aaron

On 12/18/05, David Jencks <david_jencks@yahoo.com> wrote:
> I always thought this was a feature rather than a bug.  I believe
> that what determines if you get security is whether there is a role-
> principal mapping in the geronimo plan, not the existence of the
> geronimo plan.  I believe the same applies to ejbs.
>
> I'm a bit nervous about changing this stable behavior this close to a
> release.
>
> david jencks
>
> On Dec 18, 2005, at 11:04 AM, Aaron Mulder wrote:
>
> > Another major problem:
> >
> > If you deploy a WAR with security settings an no geronimo-web.xml, all
> > supposedly secure content is unprotected!  Try deploying this with no
> > plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-
> > demo-1.0-SNAPSHOT.war
> > and then visiting
> > http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and clicking the
> > links to "secure" and "forbidden".  Both links work, with no login
> > prompt.  Instead, IMO, you should get a login prompt and (since no
> > realm was configured) all logins should fail.
> >
> > -1 to releasing without the fix.  :)  I'm sorry, this is the stuff
> > that's supposed to be flushed out during the "release candidate"
> > phase.  We never had one since we were trying to get 1.0 out the door
> > in 30 seconds or less, but now we're having one, and I think we ought
> > to use it.  I'd rather release a solid 1.0 in a week instead of a
> > broken one now.
> >
> > Aaron
> >
> > On 12/18/05, Dain Sundstrom <dain@iq80.com> wrote:
> >> -1 to all "fixes"
> >>
> >> We're never going to get this release out at this rate.  Let's list
> >> these as known issues and plan for a 1.0.1 release in two weeks.
> >>
> >> -dain
> >>
> >> On Dec 18, 2005, at 10:51 AM, Jeff Genender wrote:
> >>
> >>> Cool...I have a clustering GBean fix...so since we need to rebuild I
> >>> would like to slide mine in too.
> >>>
> >>> Aaron Mulder wrote:
> >>>> I'd like to put one more fix in here -- sorry, but I just got
> >>>> back to
> >>>> my internet connection.  Right now if you put a username or
> >>>> password
> >>>> of blank in the database pool portlet, the deployment fails.
> >>>> This is
> >>>> of course required for connections to the embedded Derby instance,
> >>>> and
> >>>> I have the fix ready.
> >>>>
> >>>> Thanks,
> >>>>     Aaron
> >>>>
> >>>> On 12/18/05, Dave Colasurdo <davecola@earthlink.net> wrote:
> >>>>> Can we also address part 2 (shutdown error) of GERONIMO-1371?  It
> >>>>> fails
> >>>>> consistently when issuing a startup followed by a shutdown..
> >>>>> Anyone have any insight here?  If we don't fix it, we should add
> >>>>> this to
> >>>>> the Release notes as a "known issue".
> >>>>>
> >>>>> BTW, looking through the release notes... I assume "Specific
> >>>>> Issues,
> >>>>> Features and Improvements for Version 1.0" is a list of things
> >>>>> that
> >>>>> already have been fixed in 1.0.  We may want to make this a bit
> >>>>> clearer.
> >>>>>   "Specific Issues, Features and Improvements *fixed* for Version
> >>>>> 1.0"
> >>>>>
> >>>>> Hmm.. Should there be a section in the release notes for common
> >>>>> known
> >>>>> issues (JIRAs) or do you feel that a link to JIRA is sufficient?
> >>>>> The
> >>>>> "Significant Missing Features" section info is much broader and
> >>>>> not at a
> >>>>> JIRA granularity.
> >>>>>
> >>>>>
> >>>>> Thanks
> >>>>> -Dave-
> >>>>>
> >>>>> Dave Colasurdo wrote:
> >>>>>> Matt Hogstrom wrote:
> >>>>>>
> >>>>>>> Deferring to 1.1
> >>>>>>> GERONIMO-1371 - Geronimo startup/shutdown issues
> >>>>>>>
> >>>>>> Any chance of incorporating part 1 of JIRA 1371?  It is simply
> >>>>>> adding an
> >>>>>>  @echo off to startup.bat (and a "launching new window"
> >>>>>> message).
> >>>>>>
> >>>>>> While not a functional problem, it sure will make a big
> >>>>>> difference as to a user's first impression of geronimo..
> >>>>>>
> >>>>>> Have attached the patch to the JIRA..
> >>>>>>
> >>>>>> Here is the output with the fix:
> >>>>>>
> >>>>>> C:\matt_spin_121805\geronimo-1.0\bin>startup
> >>>>>> Using GERONIMO_BASE:   c:\matt_spin_121805\geronimo-1.0
> >>>>>> Using GERONIMO_HOME:   c:\matt_spin_121805\geronimo-1.0
> >>>>>> Using GERONIMO_TMPDIR: c:\matt_spin_121805\geronimo-1.0\var\temp
> >>>>>> Using JRE_HOME:        c:\j2sdk1.4.2_08
> >>>>>>
> >>>>>> Launching Geronimo in a new window
> >>>>>>
> >>>>>>
> >>>>>> Here is the output Without the fix:
> >>>>>>
> >>>>>> c:\matt_spin_121805\geronimo-1.0\bin>startup
> >>>>>>
> >>>>>> c:\matt_spin_121805\geronimo-1.0\bin>if "Windows_NT" ==
> >>>>>> "Windows_NT"
> >>>>>> setlocal
> >>>>>>
> >>>>>> c:\matt_spin_121805\geronimo-1.0\bin>set
> >>>>>> CURRENT_DIR=c:\matt_spin_121805\geronim
> >>>>>> o-1.0\bin
> >>>>>>
> >>>>>> c:\matt_spin_121805\geronimo-1.0\bin>if not "" == "" goto
gotHome
> >>>>>>
> >>>>>> c:\matt_spin_121805\geronimo-1.0\bin>set
> >>>>>> GERONIMO_HOME=c:\matt_spin_121805\geron
> >>>>>> imo-1.0\bin
> >>>>>>
> >>>>>> c:\matt_spin_121805\geronimo-1.0\bin>if exist
> >>>>>> "c:\matt_spin_121805\geronimo-1.0\
> >>>>>> bin\bin\geronimo.bat" goto okHome
> >>>>>>
> >>>>>> c:\matt_spin_121805\geronimo-1.0\bin>cd ..
> >>>>>>
> >>>>>> c:\matt_spin_121805\geronimo-1.0>set
> >>>>>> GERONIMO_HOME=c:\matt_spin_121805\geronimo-
> >>>>>> 1.0
> >>>>>>
> >>>>>> c:\matt_spin_121805\geronimo-1.0>cd c:\matt_spin_121805
> >>>>>> \geronimo-1.0\bin
> >>>>>>
> >>>>>> C:\matt_spin_121805\geronimo-1.0\bin>if exist
> >>>>>> "c:\matt_spin_121805\geronimo-1.0\
> >>>>>> bin\geronimo.bat" goto okHome
> >>>>>>
> >>>>>> C:\matt_spin_121805\geronimo-1.0\bin>set
> >>>>>> EXECUTABLE=c:\matt_spin_121805\geronimo
> >>>>>> -1.0\bin\geronimo.bat
> >>>>>>
> >>>>>> C:\matt_spin_121805\geronimo-1.0\bin>if exist
> >>>>>> "c:\matt_spin_121805\geronimo-1.0\
> >>>>>> bin\geronimo.bat" goto okExec
> >>>>>>
> >>>>>> C:\matt_spin_121805\geronimo-1.0\bin>set CMD_LINE_ARGS=
> >>>>>>
> >>>>>> C:\matt_spin_121805\geronimo-1.0\bin>if """" == """" goto
> >>>>>> doneSetArgs
> >>>>>>
> >>>>>> C:\matt_spin_121805\geronimo-1.0\bin>call
> >>>>>> "c:\matt_spin_121805\geronimo-1.0\bin\
> >>>>>> geronimo.bat" start
> >>>>>> Using GERONIMO_BASE:   c:\matt_spin_121805\geronimo-1.0
> >>>>>> Using GERONIMO_HOME:   c:\matt_spin_121805\geronimo-1.0
> >>>>>> Using GERONIMO_TMPDIR: c:\matt_spin_121805\geronimo-1.0\var\temp
> >>>>>> Using JRE_HOME:        c:\j2sdk1.4.2_08
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>
> >>
>
>

Mime
View raw message