[
https://issues.apache.org/jira/browse/GERONIMO-1384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Jencks closed GERONIMO-1384.
----------------------------------
Resolution: Fixed
Fix Version/s: (was: Wish List)
2.1
Assignee: David Jencks
this was fixed a long time ago. Apps won't deploy if they have security
configuration in the spec dds but no geronimo plan describing how to login and
get to the app roles. I would need some argument that deploying a secured app
with no geronimo security configuration and only allowing access to unsecured
pages is a good idea.
> Provide default security realm for web-apps with secured pages deployed
> without a plan
> --------------------------------------------------------------------------------------
>
> Key: GERONIMO-1384
> URL: https://issues.apache.org/jira/browse/GERONIMO-1384
> Project: Geronimo
> Issue Type: New Feature
> Security Level: public(Regular issues)
> Components: security, web
> Affects Versions: 1.0-M5
> Reporter: Aaron Mulder
> Assignee: David Jencks
> Priority: Minor
> Fix For: 2.1
>
> Attachments: security-reject.patch
>
>
> If you deploy a web application with certain pages/URLs protected by a login,
> but you don't include a Geronimo deployment plan, all those pages/URLs are
> unprotected. To replicate:
> Deploy this with no plan:
> http://cvs.apache.org/repository/geronimo/wars/geronimo-ldap-demo-1.0-SNAPSHOT.war
> and then visit http://localhost:8080/geronimo-ldap-demo-1.0-SNAPSHOT and
> click the links to "secure" and "forbidden". Both links work, with no login
> prompt. Instead, you should get a login prompt and (since no realm was
> configured) all logins should fail.
> The web.xml in this case contains:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Role</web-resource-name>
> <url-pattern>/protect/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>content-administrator</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>No Access</web-resource-name>
> <url-pattern>/forbidden/*</url-pattern>
> </web-resource-collection>
> <auth-constraint/>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MYREALM</realm-name>
> <form-login-config>
> <form-login-page>/auth/logon.html?param=test</form-login-page>
> <form-error-page>/auth/logonError.html?param=test</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>content-administrator</role-name>
> </security-role>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
