| Anonymous | Login | Signup for a new account | 04-25-2024 02:58 PDT |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Advanced Details [ Jump to Notes ] | [ View Simple ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0003333 | [Resin] | trivial | always | 02-09-09 12:59 | 03-18-09 12:14 | ||||
| Reporter | stbu | View Status | public | ||||||
| Assigned To | ferg | ||||||||
| Priority | normal | Resolution | fixed | Platform | |||||
| Status | closed | OS | |||||||
| Projection | none | OS Version | |||||||
| ETA | none | Fixed in Version | 4.0.0 | Product Version | 3.1.9 | ||||
| Product Build | |||||||||
| Summary | 0003333: Snapshot 3.1.s090206: <secure/> cause ignoring of login-config and security-constraint | ||||||||
| Description |
When <secure/> is specified in a <web-app>, the configured BASIC Authentication is not applied. When a non SSL Request is performed, Resin will respond with 403 Forbidden. But when an SSL Request is performed, the application is accessable without authentication. The documentation http://caucho.com/resin-3.1/doc/webapp-tags.xtp#secure [^] contains: The <secure> flag requires that the web-app only be accessed in a secure/SSL mode. Equivalent to a <security-constraint>. But this does not imply that <login-config> and other <security-constraint> is ignored, right? Maybe I just don't understand that part of the documentation, but that behavior was not expected. However, I prefer to use <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> This is similar to <secure/>, but the Authentication is still requested. |
||||||||
| Steps To Reproduce | |||||||||
| Additional Information |
My testcase is using a simple resin-web.xml, here is the content. <web-app xmlns="http://caucho.com/ns/resin" [^] xmlns:resin="http://caucho.com/ns/resin/core"> [^] <!-- - http://caucho.com/resin-3.1/doc/webapp-tags.xtp#secure [^] - The <secure> flag requires that the web-app only be accessed - in a secure/SSL mode. Equivalent to a <security-constraint>. --> <secure/> <!-- - When <secure/> is specified, the following BASIC Authentication - is not applied. When the request is an SSL request, the - Application is served. - - Comment out <secure/> and the SSL request will require the - Authentication. --> <login-config auth-method="basic"/> <authenticator type="com.caucho.server.security.XmlAuthenticator"> <init> <path>WEB-INF/password.xml</path> </init> </authenticator> <security-constraint> <auth-constraint role-name='mytest'/> <web-resource-collection> <url-pattern>/*</url-pattern> </web-resource-collection> </security-constraint> </web-app> The attached WAR can be used to reproduce it. Pre-Requirement: Resin must be configured with an SSL Port, such as <http port="8443"> <jsse-ssl> <key-store-type>jks</key-store-type> <key-store-file>conf/keys/server.keystore</key-store-file> <password>changeit</password> </jsse-ssl> </http> from http://caucho.com/resin-3.1/doc/resin-security.xtp#Create [^] a test server certificate |
||||||||
| Attached Files |
 test-secure.war [^] (1,810 bytes) 02-09-09 12:59 |
||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0003891) ferg 03-18-09 12:14 |
server/1ai0 |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 02-09-09 12:59 | stbu | New Issue | |
| 02-09-09 12:59 | stbu | File Added: test-secure.war | |
| 02-09-09 12:59 | stbu | Issue Monitored: stbu | |
| 03-18-09 12:14 | ferg | Note Added: 0003891 | |
| 03-18-09 12:14 | ferg | Assigned To | => ferg |
| 03-18-09 12:14 | ferg | Status | new => closed |
| 03-18-09 12:14 | ferg | Resolution | open => fixed |
| 03-18-09 12:14 | ferg | Fixed in Version | => 4.0.0 |
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
31 total queries executed. 26 unique queries executed. |  |
