You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Aaron Mulder (JIRA)" <de...@geronimo.apache.org> on 2006/04/27 21:45:37 UTC

[jira] Updated: (GERONIMO-1384) Web app with no Geronimo plan makes all secure pages insecure

     [ http://issues.apache.org/jira/browse/GERONIMO-1384?page=all ]

Aaron Mulder updated GERONIMO-1384:
-----------------------------------

    Fix Version: 1.1
                     (was: 1.2)
      Assign To: Aaron Mulder
       Priority: Trivial  (was: Blocker)

Should try for the better fix for 1.1 if we're sitting around bored with nothing left to fix.  Otherwise, should be a higher priority for 1.2.

> Web app with no Geronimo plan makes all secure pages insecure
> -------------------------------------------------------------
>
>          Key: GERONIMO-1384
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1384
>      Project: Geronimo
>         Type: Bug
>     Security: public(Regular issues) 
>   Components: security, web
>     Versions: 1.0-M5
>     Reporter: Aaron Mulder
>     Assignee: Aaron Mulder
>     Priority: Trivial
>      Fix For: 1.1
>  Attachments: security-reject.patch
>
> If you deploy a web application with certain pages/URLs protected by a login, but you don't include a Geronimo deployment plan, all those pages/URLs are unprotected.  To replicate:
> Deploy this with no plan: http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and click the links to "secure" and "forbidden".  Both links work, with no login prompt.  Instead, you should get a login prompt and (since no realm was configured) all logins should fail.
> The web.xml in this case contains:
>     <security-constraint>
>       <web-resource-collection>
>         <web-resource-name>Admin Role</web-resource-name>
>         <url-pattern>/protect/*</url-pattern>
>       </web-resource-collection>
>       <auth-constraint>
>         <role-name>content-administrator</role-name>
>       </auth-constraint>
>     </security-constraint>
>     
>     <security-constraint>
>       <web-resource-collection>
>         <web-resource-name>No Access</web-resource-name>
>         <url-pattern>/forbidden/*</url-pattern>
>       </web-resource-collection>
>       <auth-constraint/>
>     </security-constraint>
>     <login-config>
>       <auth-method>FORM</auth-method>
>       <realm-name>MYREALM</realm-name>
>       <form-login-config>
>          <form-login-page>/auth/logon.html?param=test</form-login-page>
>          <form-error-page>/auth/logonError.html?param=test</form-error-page>
>       </form-login-config>
>     </login-config>
>   <security-role>
>       <role-name>content-administrator</role-name>
>   </security-role>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira