You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org> on 2005/12/18 20:09:37 UTC
[jira] Updated: (GERONIMO-1384) Web app with no Geronimo plan makes all secure pages insecure
[ http://issues.apache.org/jira/browse/GERONIMO-1384?page=all ]
Aaron Mulder updated GERONIMO-1384:
-----------------------------------
Component: security
web
> Web app with no Geronimo plan makes all secure pages insecure
> -------------------------------------------------------------
>
> Key: GERONIMO-1384
> URL: http://issues.apache.org/jira/browse/GERONIMO-1384
> Project: Geronimo
> Type: Bug
> Components: web, security
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Priority: Blocker
> Fix For: 1.0
>
> If you deploy a web application with certain pages/URLs protected by a login, but you don't include a Geronimo deployment plan, all those pages/URLs are unprotected. To replicate:
> Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to "secure" and "forbidden". Both links work, with no login prompt. Instead, you should get a login prompt and (since no realm was configured) all logins should fail.
> The web.xml in this case contains:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Role</web-resource-name>
> <url-pattern>/protect/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>content-administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MYREALM</realm-name>
> <form-login-config>
> <form-login-page>/auth/logon.html?param=test</form-login-page>
> <form-error-page>/auth/logonError.html?param=test</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>content-administrator</role-name>
> </security-role>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira