incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Juergen Weber" <webe...@gmail.com>
Subject Re: [jira] Resolved: (JSPWIKI-212) transport-guarantee CONFIDENTIAL should be removed from web.xml
Date Tue, 07 Oct 2008 16:47:39 GMT
OK, I understand that the setting will not be changed.

Then I suggest to add:

<!--  REMOVE ME TO ENABLE CONTAINER-MANAGED AUTH,
       PLEASE CHECK THE  user-data-constraint ELEMENTS

and below:

If you do not wish to use SSL, remove the "user-data-constraint"
       elements.
Note that some Containers will silently fail to log-in users if SSL is
not enabled.

On Tue, Oct 7, 2008 at 6:04 PM, Andrew Jaquith (JIRA) <jira@apache.org> wrote:
>
>     [ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
>
> Andrew Jaquith resolved JSPWIKI-212.
> ------------------------------------
>
>    Resolution: Won't Fix
>
> SSL is indeed "orthogonal" to container authentication -- in the sense that you aren't
required to have it turned on. However, I am very strongly opposed to taking it out on the
grounds of security. Regardless of whether the JSPWiki instance is on an intranet or not,
the fact is that without SSL, credentials travel in the clear. This is bad.
>
> My position on this is that if an administrator is sophisticated enough to wire up container
authentication, they should be grown-up enough to use SSL too. That's a good default security
posture, and that is one I want to encourage. But if they don't want to use it, they can simply
remove the CONFIDENTIAL element.
>
> I am sorry this has caused you problems. But the guidance in web.xml for this is crystal
clear -- there is no way an administrator could miss it.
>
> Marking this as "won't fix."
>
>> transport-guarantee CONFIDENTIAL should be removed from web.xml
>> ---------------------------------------------------------------
>>
>>                 Key: JSPWIKI-212
>>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-212
>>             Project: JSPWiki
>>          Issue Type: Improvement
>>          Components: Authentication&Authorization
>>    Affects Versions: 2.6.2
>>         Environment: apache-tomcat-6.0.16
>>            Reporter: J├╝rgen Weber
>>            Assignee: Andrew Jaquith
>>            Priority: Minor
>>
>> The default web.xml of JSPWiki contains two times
>>  <user-data-constraint>
>>            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>        </user-data-constraint>
>> for container managed authorization.
>> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you
get
>> Firefox can't establish a connection to the server at localhost:8443.
>> By default the user-data-constraint element should be removed as it makes activating
container managed authorization unnecessarily difficult.
>> Especially as it is not easy or obvious to notice the connection between the cited
error message and the user-data-constraint element.
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>

Mime
View raw message