Anonymous | Login | Signup for a new account | 12-17-2024 11:02 PST |
Main | My View | View Issues | Change Log | Docs |
Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
0003333 | [Resin] | trivial | always | 02-09-09 12:59 | 03-18-09 12:14 | ||||
Reporter | stbu | View Status | public | ||||||
Assigned To | ferg | ||||||||
Priority | normal | Resolution | fixed | ||||||
Status | closed | Product Version | 3.1.9 | ||||||
Summary | 0003333: Snapshot 3.1.s090206: <secure/> cause ignoring of login-config and security-constraint | ||||||||
Description |
When <secure/> is specified in a <web-app>, the configured BASIC Authentication is not applied. When a non SSL Request is performed, Resin will respond with 403 Forbidden. But when an SSL Request is performed, the application is accessable without authentication. The documentation http://caucho.com/resin-3.1/doc/webapp-tags.xtp#secure [^] contains: The <secure> flag requires that the web-app only be accessed in a secure/SSL mode. Equivalent to a <security-constraint>. But this does not imply that <login-config> and other <security-constraint> is ignored, right? Maybe I just don't understand that part of the documentation, but that behavior was not expected. However, I prefer to use <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> This is similar to <secure/>, but the Authentication is still requested. |
||||||||
Additional Information |
My testcase is using a simple resin-web.xml, here is the content. <web-app xmlns="http://caucho.com/ns/resin" [^] xmlns:resin="http://caucho.com/ns/resin/core"> [^] <!-- - http://caucho.com/resin-3.1/doc/webapp-tags.xtp#secure [^] - The <secure> flag requires that the web-app only be accessed - in a secure/SSL mode. Equivalent to a <security-constraint>. --> <secure/> <!-- - When <secure/> is specified, the following BASIC Authentication - is not applied. When the request is an SSL request, the - Application is served. - - Comment out <secure/> and the SSL request will require the - Authentication. --> <login-config auth-method="basic"/> <authenticator type="com.caucho.server.security.XmlAuthenticator"> <init> <path>WEB-INF/password.xml</path> </init> </authenticator> <security-constraint> <auth-constraint role-name='mytest'/> <web-resource-collection> <url-pattern>/*</url-pattern> </web-resource-collection> </security-constraint> </web-app> The attached WAR can be used to reproduce it. Pre-Requirement: Resin must be configured with an SSL Port, such as <http port="8443"> <jsse-ssl> <key-store-type>jks</key-store-type> <key-store-file>conf/keys/server.keystore</key-store-file> <password>changeit</password> </jsse-ssl> </http> from http://caucho.com/resin-3.1/doc/resin-security.xtp#Create [^] a test server certificate |
||||||||
Attached Files | test-secure.war [^] (1,810 bytes) 02-09-09 12:59 | ||||||||
|
Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
31 total queries executed. 26 unique queries executed. |