Yep, this is an argument. The URL path is
http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=false
Some improvments:
1)
Changing the ant pattern to "/web/" instead of "/web/**"
2)
Check that the number of parameters is 2
3)
Check that
wicket:bookmarkablePage<http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=false>
exists and has the value
:org.geoserver.web.GeoServerLoginPage<http://localhost:8080/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=false>
4)
Check that error parameter exists and has the value false or true.
I will check this and update the patch.
Christian
2013/7/24 Roar Brænden <[email protected]>
> Hi,
>
> I look at your code and are a little bit concerned about the solution for
> Login-page itself.
> Wouldn't it be easy to include "org.geoserver.web.GeoServerLoginPage" as a
> part of the queryString in any url?
> In that way this hack would be a fairly decent security hole.
>
> Regards,
>
> Roar Brænden
>
>
> 2013/7/23 Christian Mueller <[email protected]>
>
>> The issue is here
>>
>> https://jira.codehaus.org/browse/GEOS-5921#comment-329355
>>
>> The patch is here
>>
>>
>> https://github.com/mcrmcr/geoserver-1/commit/7c3e9aaf7aa4a625099fcd6bd88199b5ed1c15e7
>>
>> The patch contains only a few lines, but it is a hack. As a consequence,
>> a review would be nice.
>>
>> @Justin, I think this class was invented by you.
>>
>> Thanks to reviewer :-)
>>
>>
>> --
>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>> OSS Open Source Solutions GmbH
>>
>>
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Geoserver-devel mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>
>>
>
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
