Mantis - Resin
Viewing Issue Advanced Details
4843 minor always 11-07-11 16:33 11-08-11 11:07
alex  
alex  
normal  
closed 4.0.23  
fixed  
none    
none 4.0.24  
0004843: transport-guarantee confidential with BasicLogin
Should redirect to https instead of requesting basic auth.
The bug occurs when auth-constraint/role-name is configured before user-data-constraint/transport-guarantee.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://caucho.com/ns/resin" [^]
         xmlns:resin="urn:java:com.caucho.resin">

  <resin:XmlAuthenticator password-digest="none">
    <resin:user name="user" password="password" group="secure_area"/>
  </resin:XmlAuthenticator>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Secure_Web_App</realm-name>
  </login-config>

  <security-role>
    <role-name>secure_area</role-name>
  </security-role>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>secure_area</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>secure_area</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>

  </security-constraint>


</web-app>

Notes
(0005607)
alex   
11-08-11 11:07   
server/12hl