[ http://issues.apache.org/jira/browse/AXIS2-580?page=comments#action_12374787 ]
Jens Schumann commented on AXIS2-580: ------------------------------------- While it is important to fix this issue ASAP it would be better to go for AXIS2-581. > Admin Console Security does not work at all > ------------------------------------------- > > Key: AXIS2-580 > URL: http://issues.apache.org/jira/browse/AXIS2-580 > Project: Apache Axis 2.0 (Axis2) > Type: Bug > Components: Tools > Versions: 0.95 > Reporter: Jens Schumann > Priority: Blocker > > (copy and paste from > http://marc.theaimsgroup.com/?l=axis-dev&m=114528552707863&w=2 ) > The current admin console security implementation contains several security > flaws: > - The security checks itself seem to happen in the VIEW only. After > the action was processed. So if I am not mistaken I can manually create the > admin URLs and deactivate services and so on. (Getting a rendering error of > course afterwards) > - One could argue that in a production environment you will not enable the > AdminServlet. However it seems that the current AxisServlet doGet > implementation will forward processing to the ListingAgent if there is no > Soap Request. Which in turn means that I can disable services without > knowing the username/password. > To test the bug just deploy axis2.war and request the following URL. > http://localhost:8080/axis2/inActivateService?axisService=version&turnoff=on&submit=+In-activate+ > . version will be deactivated afterwards. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
