incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Weber (JIRA) <>
Subject [jira] Commented: (JSPWIKI-212) transport-guarantee CONFIDENTIAL should be removed from web.xml
Date Mon, 07 Apr 2008 08:12:24 GMT


Jürgen Weber commented on JSPWIKI-212:

Why should JSPWiki be more strict than Tomcat itself? Tomcat has SSL off by default, which
is not surprising, as you should know about SSL certificates:

If you want to put SSL on the internet, you should get a CA issued certificate. People who
want to do all that to get SSL running certainly know how to switch on SSL in web.xml.

So, for all other people, let's switch it off in web.xml

> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>                 Key: JSPWIKI-212
>                 URL:
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 2.6.2
>         Environment: apache-tomcat-6.0.16
>            Reporter: Jürgen Weber
>            Priority: Minor
> The default web.xml of JSPWiki contains two times
>  <user-data-constraint>
>            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>        </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating
container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error
message and the user-data-constraint element.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message