0004495: transport-guarantee CONFIDENTIAL permits http

Viewing Issue Advanced Details [ Jump to Notes ]

[ View Simple ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0004495

[Resin]

major

always

04-12-11 07:08

04-12-11 12:40

Reporter

cowan

View Status

public

Assigned To

ferg

Priority

normal

Resolution

fixed

Platform

Status

closed

Projection

none

OS Version

ETA

none

Fixed in Version

4.0.17

Product Version

4.0.16

Product Build

Summary

0004495: transport-guarantee CONFIDENTIAL permits http

Description

transport-guarantee CONFIDENTIAL in web.xml is not honored if an auth-constraint also exists. Removing the auth-constraint results in response code 403.

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>foo</web-resource-name>
      <url-pattern>*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
  </login-config>

  <security-role>
    <role-name>admin</role-name>
  </security-role>

Steps To Reproduce

Additional Information

rep by Keith Fetterman

Attached Files

Relationships

Notes
(0005191) ferg 04-12-11 12:40	server/1a62

Issue History
Date Modified	Username	Field	Change
04-12-11 07:08	cowan	New Issue
04-12-11 12:40	ferg	Note Added: 0005191
04-12-11 12:40	ferg	Assigned To	=> ferg
04-12-11 12:40	ferg	Status	new => closed
04-12-11 12:40	ferg	Resolution	open => fixed
04-12-11 12:40	ferg	Fixed in Version	=> 4.0.17

Mantis 1.0.0rc3[^]

29 total queries executed.
26 unique queries executed.