Admin Console Security does not work at all
-------------------------------------------
Key: AXIS2-580
URL: http://issues.apache.org/jira/browse/AXIS2-580
Project: Apache Axis 2.0 (Axis2)
Type: Bug
Components: Tools
Versions: 0.95
Reporter: Jens Schumann
Priority: Blocker
(copy and paste from
http://marc.theaimsgroup.com/?l=axis-dev&m=114528552707863&w=2 )
The current admin console security implementation contains several security
flaws:
- The security checks itself seem to happen in the VIEW only. After
the action was processed. So if I am not mistaken I can manually create the
admin URLs and deactivate services and so on. (Getting a rendering error of
course afterwards)
- One could argue that in a production environment you will not enable the
AdminServlet. However it seems that the current AxisServlet doGet
implementation will forward processing to the ListingAgent if there is no
Soap Request. Which in turn means that I can disable services without
knowing the username/password.
To test the bug just deploy axis2.war and request the following URL.
http://localhost:8080/axis2/inActivateService?axisService=version&turnoff=on&submit=+In-activate+
. version will be deactivated afterwards.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
