You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Jürgen Weber (JIRA)" <ji...@apache.org> on 2008/03/17 11:29:24 UTC
[jira] Created: (JSPWIKI-212) transport-guarantee CONFIDENTIAL
should be removed from web.xml
transport-guarantee CONFIDENTIAL should be removed from web.xml
---------------------------------------------------------------
Key: JSPWIKI-212
URL: https://issues.apache.org/jira/browse/JSPWIKI-212
Project: JSPWiki
Issue Type: Improvement
Components: Authentication&Authorization
Affects Versions: 2.6.2
Environment: apache-tomcat-6.0.16
Reporter: Jürgen Weber
Priority: Minor
Fix For: 2.6.2
The default web.xml of JSPWiki contains two times
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
for container managed authorization.
But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
Firefox can't establish a connection to the server at localhost:8443.
By default the user-data-constraint element should be removed as it makes activating container managed authorization unnecessarily difficult.
Especially as it is not easy or obvious to notice the connection between the cited error message and the user-data-constraint element.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Resolved: (JSPWIKI-212) transport-guarantee CONFIDENTIAL should be removed from web.xml
Posted by Juergen Weber <we...@gmail.com>.
OK, I understand that the setting will not be changed.
Then I suggest to add:
<!-- REMOVE ME TO ENABLE CONTAINER-MANAGED AUTH,
PLEASE CHECK THE user-data-constraint ELEMENTS
and below:
If you do not wish to use SSL, remove the "user-data-constraint"
elements.
Note that some Containers will silently fail to log-in users if SSL is
not enabled.
On Tue, Oct 7, 2008 at 6:04 PM, Andrew Jaquith (JIRA) <ji...@apache.org> wrote:
>
> [ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
>
> Andrew Jaquith resolved JSPWIKI-212.
> ------------------------------------
>
> Resolution: Won't Fix
>
> SSL is indeed "orthogonal" to container authentication -- in the sense that you aren't required to have it turned on. However, I am very strongly opposed to taking it out on the grounds of security. Regardless of whether the JSPWiki instance is on an intranet or not, the fact is that without SSL, credentials travel in the clear. This is bad.
>
> My position on this is that if an administrator is sophisticated enough to wire up container authentication, they should be grown-up enough to use SSL too. That's a good default security posture, and that is one I want to encourage. But if they don't want to use it, they can simply remove the CONFIDENTIAL element.
>
> I am sorry this has caused you problems. But the guidance in web.xml for this is crystal clear -- there is no way an administrator could miss it.
>
> Marking this as "won't fix."
>
>> transport-guarantee CONFIDENTIAL should be removed from web.xml
>> ---------------------------------------------------------------
>>
>> Key: JSPWIKI-212
>> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
>> Project: JSPWiki
>> Issue Type: Improvement
>> Components: Authentication&Authorization
>> Affects Versions: 2.6.2
>> Environment: apache-tomcat-6.0.16
>> Reporter: Jürgen Weber
>> Assignee: Andrew Jaquith
>> Priority: Minor
>>
>> The default web.xml of JSPWiki contains two times
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> for container managed authorization.
>> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
>> Firefox can't establish a connection to the server at localhost:8443.
>> By default the user-data-constraint element should be removed as it makes activating container managed authorization unnecessarily difficult.
>> Especially as it is not easy or obvious to notice the connection between the cited error message and the user-data-constraint element.
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>
[jira] Commented: (JSPWIKI-212) transport-guarantee CONFIDENTIAL
should be removed from web.xml
Posted by "Janne Jalkanen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12585923#action_12585923 ]
Janne Jalkanen commented on JSPWIKI-212:
----------------------------------------
Anybody have any opinions on this one?
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error message and the user-data-constraint element.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-212) transport-guarantee CONFIDENTIAL
should be removed from web.xml
Posted by "Harry Metske (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12585943#action_12585943 ]
Harry Metske commented on JSPWIKI-212:
--------------------------------------
I agree with Jürgen, I remember it cost me quite some time to solve the same issue. I have transport guarantee NONE everywhere.
But, if we change the default, I think we should put in a warning or a tip somewhere that in order to safely send userid and password you should enable it.
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error message and the user-data-constraint element.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (JSPWIKI-212) transport-guarantee CONFIDENTIAL
should be removed from web.xml
Posted by "Andrew Jaquith (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Jaquith resolved JSPWIKI-212.
------------------------------------
Resolution: Won't Fix
SSL is indeed "orthogonal" to container authentication -- in the sense that you aren't required to have it turned on. However, I am very strongly opposed to taking it out on the grounds of security. Regardless of whether the JSPWiki instance is on an intranet or not, the fact is that without SSL, credentials travel in the clear. This is bad.
My position on this is that if an administrator is sophisticated enough to wire up container authentication, they should be grown-up enough to use SSL too. That's a good default security posture, and that is one I want to encourage. But if they don't want to use it, they can simply remove the CONFIDENTIAL element.
I am sorry this has caused you problems. But the guidance in web.xml for this is crystal clear -- there is no way an administrator could miss it.
Marking this as "won't fix."
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Assignee: Andrew Jaquith
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error message and the user-data-constraint element.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-212) transport-guarantee CONFIDENTIAL
should be removed from web.xml
Posted by "Andrew Jaquith (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12586501#action_12586501 ]
Andrew Jaquith commented on JSPWIKI-212:
----------------------------------------
I agree with Florian's comment. We should add a comment in web.xml mentioning how to enable SSL.
However, it is not appropriate to diasable the SSL requirement by default. If an admin is sophisticated enough to enable container-managed auth, they should also be able to turn on SSL. In an intranet environment, remember that authentication will be typically against a corporate LDAP server or Active Directory. For this reason, SSL should be on by default.
Marking this as "won't fix."
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error message and the user-data-constraint element.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-212) transport-guarantee CONFIDENTIAL
should be removed from web.xml
Posted by "Florian Holeczek (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12585945#action_12585945 ]
Florian Holeczek commented on JSPWIKI-212:
------------------------------------------
I think that container managed authentication is used in environments where this setting makes sense.
Also, it isn't something that makes JSPWiki harder to use out of the box, because it's commented out initially.
This is why I think the setting should stay, but some configuration hint should be inserted.
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error message and the user-data-constraint element.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (JSPWIKI-212) transport-guarantee CONFIDENTIAL
should be removed from web.xml
Posted by "Andrew Jaquith (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Jaquith resolved JSPWIKI-212.
------------------------------------
Resolution: Won't Fix
Assignee: Andrew Jaquith
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Assignee: Andrew Jaquith
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error message and the user-data-constraint element.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (JSPWIKI-212) transport-guarantee CONFIDENTIAL
should be removed from web.xml
Posted by "Jürgen Weber (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jürgen Weber reopened JSPWIKI-212:
----------------------------------
For Weblogic and Geronimo the problem is still worse, because they immediately send 403 forbidden (JSPWIKI-389).
Container managed security is orthogonal to SSL, else containers would always require transport-guarantee CONFIDENTIAL.
If an Administrator wants container managed security, she is not bound to want SSL, too. So transport-guarantee CONFIDENTIAL should be off by default and commented out in web.xml. There should be a hint in a comment that it might be necessary.
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Assignee: Andrew Jaquith
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error message and the user-data-constraint element.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-212) transport-guarantee CONFIDENTIAL
should be removed from web.xml
Posted by "Jürgen Weber (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12586027#action_12586027 ]
Jürgen Weber commented on JSPWIKI-212:
--------------------------------------
I guess
* most JSPWiki installations are intranet, so no need for SSL
* if you have JSPWiki on the internet, you will have it listen on port 80, but you won't run Tomcat as root, so you use Apache and mod_jk, and Apache does the SSL stuff.
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error message and the user-data-constraint element.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-212) transport-guarantee CONFIDENTIAL
should be removed from web.xml
Posted by "Jürgen Weber (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12586267#action_12586267 ]
Jürgen Weber commented on JSPWIKI-212:
--------------------------------------
Why should JSPWiki be more strict than Tomcat itself? Tomcat has SSL off by default, which is not surprising, as you should know about SSL certificates:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
If you want to put SSL on the internet, you should get a CA issued certificate. People who want to do all that to get SSL running certainly know how to switch on SSL in web.xml.
So, for all other people, let's switch it off in web.xml
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error message and the user-data-constraint element.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JSPWIKI-212) transport-guarantee CONFIDENTIAL
should be removed from web.xml
Posted by "Florian Holeczek (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12586028#action_12586028 ]
Florian Holeczek commented on JSPWIKI-212:
------------------------------------------
{quote}
most JSPWiki installations are intranet, so no need for SSL
{quote}
That's true for the content itself, but not username/password pairs.
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the cited error message and the user-data-constraint element.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.