incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-212) transport-guarantee CONFIDENTIAL should be removed from web.xml
Date Mon, 07 Apr 2008 19:13:24 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12586501#action_12586501
] 

Andrew Jaquith commented on JSPWIKI-212:
----------------------------------------

I agree with Florian's comment. We should add a comment in web.xml mentioning how to enable
SSL. 

However, it is not appropriate to diasable the SSL requirement by default. If an admin is
sophisticated enough to enable container-managed auth, they should also be able to turn on
SSL. In an intranet environment, remember that authentication will be typically against a
corporate LDAP server or Active Directory. For this reason, SSL should be on by default. 

Marking this as "won't fix."

> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
>                 Key: JSPWIKI-212
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-212
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 2.6.2
>         Environment: apache-tomcat-6.0.16
>            Reporter: J├╝rgen Weber
>            Priority: Minor
>
> The default web.xml of JSPWiki contains two times
>  <user-data-constraint>
>            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>        </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating
container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error
message and the user-data-constraint element.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message