[jira] Resolved: (JSPWIKI-212) transport-guarantee CONFIDENTIAL should be removed from web.xml

[Andrew Jaquith (JIRA)]

     [ 
https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Jaquith resolved JSPWIKI-212.
------------------------------------

    Resolution: Won't Fix

SSL is indeed "orthogonal" to container authentication -- in the sense that you 
aren't required to have it turned on. However, I am very strongly opposed to 
taking it out on the grounds of security. Regardless of whether the JSPWiki 
instance is on an intranet or not, the fact is that without SSL, credentials 
travel in the clear. This is bad.

My position on this is that if an administrator is sophisticated enough to wire 
up container authentication, they should be grown-up enough to use SSL too. 
That's a good default security posture, and that is one I want to encourage. 
But if they don't want to use it, they can simply remove the CONFIDENTIAL 
element.

I am sorry this has caused you problems. But the guidance in web.xml for this 
is crystal clear -- there is no way an administrator could miss it.

Marking this as "won't fix." 

> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
>                 Key: JSPWIKI-212
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-212
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 2.6.2
>         Environment: apache-tomcat-6.0.16
>            Reporter: Jürgen Weber
>            Assignee: Andrew Jaquith
>            Priority: Minor
>
> The default web.xml of JSPWiki contains two times
>  <user-data-constraint>
>            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>        </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to 
> JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes 
> activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the 
> cited error message and the user-data-constraint element.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.