You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org> on 2005/12/18 20:09:36 UTC
[jira] Created: (GERONIMO-1384) Web app with no Geronimo plan makes all secure pages insecure
Web app with no Geronimo plan makes all secure pages insecure
-------------------------------------------------------------
Key: GERONIMO-1384
URL: http://issues.apache.org/jira/browse/GERONIMO-1384
Project: Geronimo
Type: Bug
Components: web, security
Versions: 1.0-M5
Reporter: Aaron Mulder
Priority: Blocker
Fix For: 1.0
If you deploy a web application with certain pages/URLs protected by a login, but you don't include a Geronimo deployment plan, all those pages/URLs are unprotected. To replicate:
Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to "secure" and "forbidden". Both links work, with no login prompt. Instead, you should get a login prompt and (since no realm was configured) all logins should fail.
The web.xml in this case contains:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Role</web-resource-name>
<url-pattern>/protect/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>content-administrator</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>No Access</web-resource-name>
<url-pattern>/forbidden/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MYREALM</realm-name>
<form-login-config>
<form-login-page>/auth/logon.html?param=test</form-login-page>
<form-error-page>/auth/logonError.html?param=test</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>content-administrator</role-name>
</security-role>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1384) Provide default security realm for
web-apps with secured pages deployed without a plan
Posted by "David Jencks (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1384?page=all ]
David Jencks updated GERONIMO-1384:
-----------------------------------
Summary: Provide default security realm for web-apps with secured pages deployed without a plan (was: Web app with no Geronimo plan makes all secure pages insecure)
type: New Feature (was: Bug)
Fix Version: Wish List
(was: 1.1.1)
Priority: Minor (was: Trivial)
Changed subject, target version since the original problem is fixed and perhaps the goal of having a default security realm could be debated.
> Provide default security realm for web-apps with secured pages deployed without a plan
> --------------------------------------------------------------------------------------
>
> Key: GERONIMO-1384
> URL: http://issues.apache.org/jira/browse/GERONIMO-1384
> Project: Geronimo
> Type: New Feature
> Security: public(Regular issues)
> Components: security, web
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Minor
> Fix For: Wish List
> Attachments: security-reject.patch
>
> If you deploy a web application with certain pages/URLs protected by a login, but you don't include a Geronimo deployment plan, all those pages/URLs are unprotected. To replicate:
> Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to "secure" and "forbidden". Both links work, with no login prompt. Instead, you should get a login prompt and (since no realm was configured) all logins should fail.
> The web.xml in this case contains:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Role</web-resource-name>
> <url-pattern>/protect/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>content-administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MYREALM</realm-name>
> <form-login-config>
> <form-login-page>/auth/logon.html?param=test</form-login-page>
> <form-error-page>/auth/logonError.html?param=test</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>content-administrator</role-name>
> </security-role>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1384) Web app with no Geronimo plan makes
all secure pages insecure
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1384?page=all ]
Aaron Mulder updated GERONIMO-1384:
-----------------------------------
Fix Version: 1.1
(was: 1.2)
Assign To: Aaron Mulder
Priority: Trivial (was: Blocker)
Should try for the better fix for 1.1 if we're sitting around bored with nothing left to fix. Otherwise, should be a higher priority for 1.2.
> Web app with no Geronimo plan makes all secure pages insecure
> -------------------------------------------------------------
>
> Key: GERONIMO-1384
> URL: http://issues.apache.org/jira/browse/GERONIMO-1384
> Project: Geronimo
> Type: Bug
> Security: public(Regular issues)
> Components: security, web
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Assignee: Aaron Mulder
> Priority: Trivial
> Fix For: 1.1
> Attachments: security-reject.patch
>
> If you deploy a web application with certain pages/URLs protected by a login, but you don't include a Geronimo deployment plan, all those pages/URLs are unprotected. To replicate:
> Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to "secure" and "forbidden". Both links work, with no login prompt. Instead, you should get a login prompt and (since no realm was configured) all logins should fail.
> The web.xml in this case contains:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Role</web-resource-name>
> <url-pattern>/protect/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>content-administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MYREALM</realm-name>
> <form-login-config>
> <form-login-page>/auth/logon.html?param=test</form-login-page>
> <form-error-page>/auth/logonError.html?param=test</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>content-administrator</role-name>
> </security-role>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1384) Web app with no Geronimo plan makes
all secure pages insecure
Posted by "Matt Hogstrom (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1384?page=all ]
Matt Hogstrom updated GERONIMO-1384:
------------------------------------
Fix Version: 1.1.1
(was: 1.1)
> Web app with no Geronimo plan makes all secure pages insecure
> -------------------------------------------------------------
>
> Key: GERONIMO-1384
> URL: http://issues.apache.org/jira/browse/GERONIMO-1384
> Project: Geronimo
> Type: Bug
> Security: public(Regular issues)
> Components: web, security
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Assignee: Aaron Mulder
> Priority: Trivial
> Fix For: 1.1.1
> Attachments: security-reject.patch
>
> If you deploy a web application with certain pages/URLs protected by a login, but you don't include a Geronimo deployment plan, all those pages/URLs are unprotected. To replicate:
> Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to "secure" and "forbidden". Both links work, with no login prompt. Instead, you should get a login prompt and (since no realm was configured) all logins should fail.
> The web.xml in this case contains:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Role</web-resource-name>
> <url-pattern>/protect/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>content-administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MYREALM</realm-name>
> <form-login-config>
> <form-login-page>/auth/logon.html?param=test</form-login-page>
> <form-error-page>/auth/logonError.html?param=test</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>content-administrator</role-name>
> </security-role>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1384) Web app with no Geronimo plan makes all secure pages insecure
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1384?page=all ]
Aaron Mulder updated GERONIMO-1384:
-----------------------------------
Component: security
web
> Web app with no Geronimo plan makes all secure pages insecure
> -------------------------------------------------------------
>
> Key: GERONIMO-1384
> URL: http://issues.apache.org/jira/browse/GERONIMO-1384
> Project: Geronimo
> Type: Bug
> Components: web, security
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Blocker
> Fix For: 1.0
>
> If you deploy a web application with certain pages/URLs protected by a login, but you don't include a Geronimo deployment plan, all those pages/URLs are unprotected. To replicate:
> Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to "secure" and "forbidden". Both links work, with no login prompt. Instead, you should get a login prompt and (since no realm was configured) all logins should fail.
> The web.xml in this case contains:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Role</web-resource-name>
> <url-pattern>/protect/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>content-administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MYREALM</realm-name>
> <form-login-config>
> <form-login-page>/auth/logon.html?param=test</form-login-page>
> <form-error-page>/auth/logonError.html?param=test</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>content-administrator</role-name>
> </security-role>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (GERONIMO-1384) Provide default security realm for
web-apps with secured pages deployed without a plan
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-1384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks closed GERONIMO-1384.
----------------------------------
Resolution: Fixed
Fix Version/s: (was: Wish List)
2.1
Assignee: David Jencks
this was fixed a long time ago. Apps won't deploy if they have security configuration in the spec dds but no geronimo plan describing how to login and get to the app roles. I would need some argument that deploying a secured app with no geronimo security configuration and only allowing access to unsecured pages is a good idea.
> Provide default security realm for web-apps with secured pages deployed without a plan
> --------------------------------------------------------------------------------------
>
> Key: GERONIMO-1384
> URL: https://issues.apache.org/jira/browse/GERONIMO-1384
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security, web
> Affects Versions: 1.0-M5
> Reporter: Aaron Mulder
> Assignee: David Jencks
> Priority: Minor
> Fix For: 2.1
>
> Attachments: security-reject.patch
>
>
> If you deploy a web application with certain pages/URLs protected by a login, but you don't include a Geronimo deployment plan, all those pages/URLs are unprotected. To replicate:
> Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to "secure" and "forbidden". Both links work, with no login prompt. Instead, you should get a login prompt and (since no realm was configured) all logins should fail.
> The web.xml in this case contains:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Role</web-resource-name>
> <url-pattern>/protect/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>content-administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MYREALM</realm-name>
> <form-login-config>
> <form-login-page>/auth/logon.html?param=test</form-login-page>
> <form-error-page>/auth/logonError.html?param=test</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>content-administrator</role-name>
> </security-role>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (GERONIMO-1384) Web app with no Geronimo plan makes all secure pages insecure
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1384?page=all ]
Aaron Mulder updated GERONIMO-1384:
-----------------------------------
Attachment: security-reject.patch
security-reject.patch is a first step where Jetty will refuse to deploy a web app including security settings if there is no Geronimo plan or a Geronimo plan that does not include security settings. At least this way we don't have a situation where a user expects security but none is applied.
I hope we'll later provide a "better" fix to have Jetty use a default realm with no principals in it so that security is applied but no logins work (so all secure pages are just inaccessible)
> Web app with no Geronimo plan makes all secure pages insecure
> -------------------------------------------------------------
>
> Key: GERONIMO-1384
> URL: http://issues.apache.org/jira/browse/GERONIMO-1384
> Project: Geronimo
> Type: Bug
> Components: web, security
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Blocker
> Fix For: 1.0
> Attachments: security-reject.patch
>
> If you deploy a web application with certain pages/URLs protected by a login, but you don't include a Geronimo deployment plan, all those pages/URLs are unprotected. To replicate:
> Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to "secure" and "forbidden". Both links work, with no login prompt. Instead, you should get a login prompt and (since no realm was configured) all logins should fail.
> The web.xml in this case contains:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Role</web-resource-name>
> <url-pattern>/protect/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>content-administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MYREALM</realm-name>
> <form-login-config>
> <form-login-page>/auth/logon.html?param=test</form-login-page>
> <form-error-page>/auth/logonError.html?param=test</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>content-administrator</role-name>
> </security-role>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1384) Web app with no Geronimo plan makes all secure pages insecure
Posted by "Matt Hogstrom (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1384?page=all ]
Matt Hogstrom updated GERONIMO-1384:
------------------------------------
Fix Version: 1.1
(was: 1.0)
Applied patch to 1.0 to prevent error. Moving to 1.1 for final fix from Aaron.
> Web app with no Geronimo plan makes all secure pages insecure
> -------------------------------------------------------------
>
> Key: GERONIMO-1384
> URL: http://issues.apache.org/jira/browse/GERONIMO-1384
> Project: Geronimo
> Type: Bug
> Components: security, web
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Blocker
> Fix For: 1.1
> Attachments: security-reject.patch
>
> If you deploy a web application with certain pages/URLs protected by a login, but you don't include a Geronimo deployment plan, all those pages/URLs are unprotected. To replicate:
> Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to "secure" and "forbidden". Both links work, with no login prompt. Instead, you should get a login prompt and (since no realm was configured) all logins should fail.
> The web.xml in this case contains:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Role</web-resource-name>
> <url-pattern>/protect/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>content-administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MYREALM</realm-name>
> <form-login-config>
> <form-login-page>/auth/logon.html?param=test</form-login-page>
> <form-error-page>/auth/logonError.html?param=test</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>content-administrator</role-name>
> </security-role>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1384) Web app with no Geronimo plan makes
all secure pages insecure
Posted by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1384?page=all ]
Aaron Mulder updated GERONIMO-1384:
-----------------------------------
Assign To: (was: Aaron Mulder)
> Web app with no Geronimo plan makes all secure pages insecure
> -------------------------------------------------------------
>
> Key: GERONIMO-1384
> URL: http://issues.apache.org/jira/browse/GERONIMO-1384
> Project: Geronimo
> Type: Bug
> Security: public(Regular issues)
> Components: security, web
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Trivial
> Fix For: 1.1.1
> Attachments: security-reject.patch
>
> If you deploy a web application with certain pages/URLs protected by a login, but you don't include a Geronimo deployment plan, all those pages/URLs are unprotected. To replicate:
> Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to "secure" and "forbidden". Both links work, with no login prompt. Instead, you should get a login prompt and (since no realm was configured) all logins should fail.
> The web.xml in this case contains:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Role</web-resource-name>
> <url-pattern>/protect/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>content-administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MYREALM</realm-name>
> <form-login-config>
> <form-login-page>/auth/logon.html?param=test</form-login-page>
> <form-error-page>/auth/logonError.html?param=test</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>content-administrator</role-name>
> </security-role>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-1384) Web app with no Geronimo plan makes all secure pages insecure
Posted by "Matt Hogstrom (JIRA)" <de...@geronimo.apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1384?page=comments#action_12360776 ]
Matt Hogstrom commented on GERONIMO-1384:
-----------------------------------------
Applied patch to 1.0 branch.
Sending modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java
Transmitting file data .
Committed revision 357646.
> Web app with no Geronimo plan makes all secure pages insecure
> -------------------------------------------------------------
>
> Key: GERONIMO-1384
> URL: http://issues.apache.org/jira/browse/GERONIMO-1384
> Project: Geronimo
> Type: Bug
> Components: security, web
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Blocker
> Fix For: 1.1
> Attachments: security-reject.patch
>
> If you deploy a web application with certain pages/URLs protected by a login, but you don't include a Geronimo deployment plan, all those pages/URLs are unprotected. To replicate:
> Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to "secure" and "forbidden". Both links work, with no login prompt. Instead, you should get a login prompt and (since no realm was configured) all logins should fail.
> The web.xml in this case contains:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Role</web-resource-name>
> <url-pattern>/protect/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>content-administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MYREALM</realm-name>
> <form-login-config>
> <form-login-page>/auth/logon.html?param=test</form-login-page>
> <form-error-page>/auth/logonError.html?param=test</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>content-administrator</role-name>
> </security-role>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira