It would be so cool to have a switch in jspwiki.properties or the
admin UI. But that may be a bit challenging - unless we have
login.jsp and loginsecure.jsp; and define the latter to have
CONFIDENTIAL transport; then check the in the corresponding jsp file
whether the bit is on in the property file. Would that work?
/Janne
On 12 May 2009, at 22:02, Andrew Jaquith wrote:
Oh, naturally. The security creep wouldn't have it any other way. I'll
be sure to write something very stern and scary.
On Tue, May 12, 2009 at 3:00 PM, Harry Metske
<[email protected]> wrote:
+1
and we should add a very strong warning with it in the web.xml
2009/5/12 Andrew Jaquith <[email protected]>
Switched to the dev list:
The security creep in me wants everything to be secure out of the
box,
hence the default configuration of CONFIDENTIAL for container
logins.
However, the "make it just work out of the box" usability freak
hates
stuff like this.
The usability freak is currently beating up the security creep. I
think we should use a default NONE for transport-guarantee for 3.0.
Thoughts? Can I get an amen? (that's Southern Baptist for
"requesting a
+1").
Andrew
On Tue, May 12, 2009 at 2:41 PM, Harry Metske <[email protected]
>
wrote:
what could be the case is that because you have
<transport-guarantee>CONFIDENTIAL</transport-guarantee> tomcat
redirects
you to the port configured as redirectPort as defined on the
Connector
element in tomcat's server.xml
You could verify that by using
<transport-guarantee>NONE</transport-guarantee>
regards,
Harry
2009/5/12 Kinicky <[email protected]>
Hi everyone!
this is my scenery: i have users on AD and want them to use
JSPWiki. I
follow the pages above but didnt succeed:
http://www.jspwiki.org/wiki/ActiveDirectoryIntegration
http://www.jspwiki.org/wiki/WebContainerAuthenticationViaLDAP
it's odd, after i did these changes i'm able to navigate through
the
pages
of wiki except the Login.jsp. When i try to go there to
authenticate i
got
an error message saying Firefox failed in establishing a
connection with
my
server.
i hope anyone can help me!
here some information:
*server.xml* on Tomcat:
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://server:389";
connectionName="username"
connectionPassword="password"
referrals="follow"
userBase="OU=Usuarios, OU=Cit, DC=cit"
userSearch="(sAMAccountName={0})"
userRoleName="memberOf"
userSubtree="true"
/>
*web.xml* of JSPWiki
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative Area</web-resource-
name>
<url-pattern>/Delete.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Authenticated area</web-resource-
name>
<url-pattern>/Edit.jsp</url-pattern>
<url-pattern>/Comment.jsp</url-pattern>
<url-pattern>/Login.jsp</url-pattern>
<url-pattern>/NewGroup.jsp</url-pattern>
<url-pattern>/Rename.jsp</url-pattern>
<url-pattern>/Upload.jsp</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Read-only Area</web-resource-name>
<url-pattern>/attach</url-pattern>
<http-method>DELETE</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>Authenticated</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.jsp</form-login-page>
<form-error-page>/LoginForm.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
This logical role includes all authenticated users
</description>
<role-name>Authenticated</role-name>
</security-role>
<security-role>
<description>
This logical role includes all administrative users
</description>
<role-name>Admin</role-name>
</security-role>
