jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jürgen Weber (JIRA) <j...@apache.org>
Subject [jira] [Commented] (JSPWIKI-212) transport-guarantee CONFIDENTIAL should be removed from web.xml
Date Mon, 26 May 2014 11:26:01 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14008767#comment-14008767

Jürgen Weber commented on JSPWIKI-212:

After all these years...

I am still against transport-guarantee CONFIDENTIAL in web.xml by default.

It makes enabling container managed security difficult, because of strange error messages.

Container managed security has nothing to do with SSL, you can have container managed security
without the need of an SSL certificate.

Also, if you use custom authentication, there is no SSL requirement, either.

Tomcat's manager app is also without transport-guarantee.

I suggest to disable transport guarantee  in web.xml like Apache roller does:

         Uncomment below to use SSL on sensitive pages.  Alternatively,

> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>                 Key: JSPWIKI-212
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-212
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication & Authorization
>    Affects Versions: 2.6.2
>         Environment: apache-tomcat-6.0.16
>            Reporter: Jürgen Weber
>            Assignee: Andrew Jaquith
>            Priority: Minor
> The default web.xml of JSPWiki contains two times
>  <user-data-constraint>
>            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>        </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating
container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error
message and the user-data-constraint element.

This message was sent by Atlassian JIRA

View raw message