incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <>
Subject [jira] Resolved: (JSPWIKI-212) transport-guarantee CONFIDENTIAL should be removed from web.xml
Date Tue, 07 Oct 2008 16:04:44 GMT


Andrew Jaquith resolved JSPWIKI-212.

    Resolution: Won't Fix

SSL is indeed "orthogonal" to container authentication -- in the sense that you aren't required
to have it turned on. However, I am very strongly opposed to taking it out on the grounds
of security. Regardless of whether the JSPWiki instance is on an intranet or not, the fact
is that without SSL, credentials travel in the clear. This is bad.

My position on this is that if an administrator is sophisticated enough to wire up container
authentication, they should be grown-up enough to use SSL too. That's a good default security
posture, and that is one I want to encourage. But if they don't want to use it, they can simply
remove the CONFIDENTIAL element.

I am sorry this has caused you problems. But the guidance in web.xml for this is crystal clear
-- there is no way an administrator could miss it.

Marking this as "won't fix." 

> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>                 Key: JSPWIKI-212
>                 URL:
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 2.6.2
>         Environment: apache-tomcat-6.0.16
>            Reporter: J├╝rgen Weber
>            Assignee: Andrew Jaquith
>            Priority: Minor
> The default web.xml of JSPWiki contains two times
>  <user-data-constraint>
>            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>        </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating
container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error
message and the user-data-constraint element.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message