Oh, naturally. The security creep wouldn't have it any other way. I'll be sure to write something very stern and scary.
On Tue, May 12, 2009 at 3:00 PM, Harry Metske <[email protected]> wrote: > +1 > > and we should add a very strong warning with it in the web.xml > > > > 2009/5/12 Andrew Jaquith <[email protected]> > >> Switched to the dev list: >> >> The security creep in me wants everything to be secure out of the box, >> hence the default configuration of CONFIDENTIAL for container logins. >> >> However, the "make it just work out of the box" usability freak hates >> stuff like this. >> >> The usability freak is currently beating up the security creep. I >> think we should use a default NONE for transport-guarantee for 3.0. >> >> Thoughts? Can I get an amen? (that's Southern Baptist for "requesting a >> +1"). >> >> Andrew >> >> >> On Tue, May 12, 2009 at 2:41 PM, Harry Metske <[email protected]> >> wrote: >> > what could be the case is that because you have >> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> tomcat redirects >> > you to the port configured as redirectPort as defined on the Connector >> > element in tomcat's server.xml >> > >> > You could verify that by using >> > <transport-guarantee>NONE</transport-guarantee> >> > >> > regards, >> > Harry >> > >> > 2009/5/12 Kinicky <[email protected]> >> > >> >> Hi everyone! >> >> >> >> this is my scenery: i have users on AD and want them to use JSPWiki. I >> >> follow the pages above but didnt succeed: >> >> http://www.jspwiki.org/wiki/ActiveDirectoryIntegration >> >> http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP >> >> >> >> it's odd, after i did these changes i'm able to navigate through the >> pages >> >> of wiki except the Login.jsp. When i try to go there to authenticate i >> got >> >> an error message saying Firefox failed in establishing a connection with >> my >> >> server. >> >> >> >> i hope anyone can help me! >> >> >> >> here some information: >> >> *server.xml* on Tomcat: >> >> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" >> >> connectionURL="ldap://server:389"; >> >> connectionName="username" >> >> connectionPassword="password" >> >> referrals="follow" >> >> userBase="OU=Usuarios, OU=Cit, DC=cit" >> >> userSearch="(sAMAccountName={0})" >> >> userRoleName="memberOf" >> >> >> >> userSubtree="true" >> >> >> >> /> >> >> >> >> *web.xml* of JSPWiki >> >> <security-constraint> >> >> <web-resource-collection> >> >> <web-resource-name>Administrative Area</web-resource-name> >> >> <url-pattern>/Delete.jsp</url-pattern> >> >> </web-resource-collection> >> >> <auth-constraint> >> >> <role-name>Admin</role-name> >> >> </auth-constraint> >> >> <user-data-constraint> >> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >> >> </user-data-constraint> >> >> </security-constraint> >> >> >> >> <security-constraint> >> >> <web-resource-collection> >> >> <web-resource-name>Authenticated area</web-resource-name> >> >> <url-pattern>/Edit.jsp</url-pattern> >> >> <url-pattern>/Comment.jsp</url-pattern> >> >> <url-pattern>/Login.jsp</url-pattern> >> >> <url-pattern>/NewGroup.jsp</url-pattern> >> >> <url-pattern>/Rename.jsp</url-pattern> >> >> <url-pattern>/Upload.jsp</url-pattern> >> >> <http-method>DELETE</http-method> >> >> <http-method>GET</http-method> >> >> <http-method>HEAD</http-method> >> >> <http-method>POST</http-method> >> >> <http-method>PUT</http-method> >> >> </web-resource-collection> >> >> >> >> <web-resource-collection> >> >> <web-resource-name>Read-only Area</web-resource-name> >> >> <url-pattern>/attach</url-pattern> >> >> <http-method>DELETE</http-method> >> >> <http-method>POST</http-method> >> >> <http-method>PUT</http-method> >> >> </web-resource-collection> >> >> >> >> <auth-constraint> >> >> <role-name>Admin</role-name> >> >> <role-name>Authenticated</role-name> >> >> </auth-constraint> >> >> >> >> <user-data-constraint> >> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >> >> </user-data-constraint> >> >> </security-constraint> >> >> >> >> <login-config> >> >> <auth-method>FORM</auth-method> >> >> <form-login-config> >> >> <form-login-page>/LoginForm.jsp</form-login-page> >> >> <form-error-page>/LoginForm.jsp</form-error-page> >> >> </form-login-config> >> >> </login-config> >> >> >> >> <security-role> >> >> <description> >> >> This logical role includes all authenticated users >> >> </description> >> >> <role-name>Authenticated</role-name> >> >> </security-role> >> >> >> >> <security-role> >> >> <description> >> >> This logical role includes all administrative users >> >> </description> >> >> <role-name>Admin</role-name> >> >> </security-role> >> >> >> > >> >
