5:55 a.m.
Tomcat allows http access with transport guarantie CONFIDENTIAL
---------------------------------------------------------------
Key: JBAS-3595
URL: http://jira.jboss.com/jira/browse/JBAS-3595
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Reporter: Thomas Diesler
Fix For: JBossAS-5.0.0.Beta
The generated web.xml contains CONFIDENTIAL. Access via http:// should be denied.
This woks in Branch_4_0
/home/tdiesler/svn/jbossws/trunk/src/test
[tdiesler@tdvaio test]$ ant -Dtest=org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
one-test
one-test:
[junit] Running org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
[junit] Tests run: 5, Failures: 1, Errors: 0, Time elapsed: 5.452 sec
[junit] Test org.jboss.test.ws.samples.secureejb.SecureEJBTestCase FAILED
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:30 a.m.
New subject: [JBoss JIRA] Updated: (JBAS-3595) Tomcat allows http access with transport guarantie CONFIDENTIAL
[ http://jira.jboss.com/jira/browse/JBAS-3595?page=all ]
Dimitris Andreadis updated JBAS-3595:
-------------------------------------
Fix Version/s: JBossAS-5.0.0.Beta2
(was: JBossAS-5.0.0.Beta1)
Tomcat allows http access with transport guarantie CONFIDENTIAL
---------------------------------------------------------------
Key: JBAS-3595
URL: http://jira.jboss.com/jira/browse/JBAS-3595
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Reporter: Thomas Diesler
Fix For: JBossAS-5.0.0.Beta2
The generated web.xml contains CONFIDENTIAL. Access via http:// should be denied.
This woks in Branch_4_0
/home/tdiesler/svn/jbossws/trunk/src/test
[tdiesler@tdvaio test]$ ant -Dtest=org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
one-test
one-test:
[junit] Running org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
[junit] Tests run: 5, Failures: 1, Errors: 0, Time elapsed: 5.452 sec
[junit] Test org.jboss.test.ws.samples.secureejb.SecureEJBTestCase FAILED
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:42 a.m.
New subject: [JBoss JIRA] Assigned: (JBAS-3595) Tomcat allows http access with transport guarantie CONFIDENTIAL
[ http://jira.jboss.com/jira/browse/JBAS-3595?page=all ]
Dimitris Andreadis reassigned JBAS-3595:
----------------------------------------
Assignee: Remy Maucherat
Assign to Remy to look at.
Tomcat allows http access with transport guarantie CONFIDENTIAL
---------------------------------------------------------------
Key: JBAS-3595
URL: http://jira.jboss.com/jira/browse/JBAS-3595
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Reporter: Thomas Diesler
Assigned To: Remy Maucherat
Fix For: JBossAS-5.0.0.Beta3
The generated web.xml contains CONFIDENTIAL. Access via http:// should be denied.
This woks in Branch_4_0
/home/tdiesler/svn/jbossws/trunk/src/test
[tdiesler@tdvaio test]$ ant -Dtest=org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
one-test
one-test:
[junit] Running org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
[junit] Tests run: 5, Failures: 1, Errors: 0, Time elapsed: 5.452 sec
[junit] Test org.jboss.test.ws.samples.secureejb.SecureEJBTestCase FAILED
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:33 p.m.
New subject: [JBoss JIRA] Updated: (JBAS-3595) Tomcat allows http access with transport guarantie CONFIDENTIAL
[ http://jira.jboss.com/jira/browse/JBAS-3595?page=all ]
Remy Maucherat updated JBAS-3595:
---------------------------------
Attachment: test.war
Test WAR
Tomcat allows http access with transport guarantie CONFIDENTIAL
---------------------------------------------------------------
Key: JBAS-3595
URL: http://jira.jboss.com/jira/browse/JBAS-3595
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Reporter: Thomas Diesler
Assigned To: Remy Maucherat
Fix For: JBossAS-5.0.0.Beta3
Attachments: test.war
The generated web.xml contains CONFIDENTIAL. Access via http:// should be denied.
This woks in Branch_4_0
/home/tdiesler/svn/jbossws/trunk/src/test
[tdiesler@tdvaio test]$ ant -Dtest=org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
one-test
one-test:
[junit] Running org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
[junit] Tests run: 5, Failures: 1, Errors: 0, Time elapsed: 5.452 sec
[junit] Test org.jboss.test.ws.samples.secureejb.SecureEJBTestCase FAILED
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:35 p.m.
New subject: [JBoss JIRA] Commented: (JBAS-3595) Tomcat allows http access with transport guarantie CONFIDENTIAL
[ http://jira.jboss.com/jira/browse/JBAS-3595?page=comments#action_12390529 ]
Remy Maucherat commented on JBAS-3595:
--------------------------------------
The problem is apparently that JBossWebRealm.hasUserDataPermission does some checks, and
ends up not calling the superclass (which does the redirection).
Tomcat allows http access with transport guarantie CONFIDENTIAL
---------------------------------------------------------------
Key: JBAS-3595
URL: http://jira.jboss.com/jira/browse/JBAS-3595
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Reporter: Thomas Diesler
Assigned To: Remy Maucherat
Fix For: JBossAS-5.0.0.Beta3
Attachments: test.war
The generated web.xml contains CONFIDENTIAL. Access via http:// should be denied.
This woks in Branch_4_0
/home/tdiesler/svn/jbossws/trunk/src/test
[tdiesler@tdvaio test]$ ant -Dtest=org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
one-test
one-test:
[junit] Running org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
[junit] Tests run: 5, Failures: 1, Errors: 0, Time elapsed: 5.452 sec
[junit] Test org.jboss.test.ws.samples.secureejb.SecureEJBTestCase FAILED
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:35 p.m.
New subject: [JBoss JIRA] Assigned: (JBAS-3595) Tomcat allows http access with transport guarantie CONFIDENTIAL
[ http://jira.jboss.com/jira/browse/JBAS-3595?page=all ]
Remy Maucherat reassigned JBAS-3595:
------------------------------------
Assignee: Anil Saldhana (was: Remy Maucherat)
Can you clarify how the new realm hasUserDataPermission method is supposed to work ?
Tomcat allows http access with transport guarantie CONFIDENTIAL
---------------------------------------------------------------
Key: JBAS-3595
URL: http://jira.jboss.com/jira/browse/JBAS-3595
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Reporter: Thomas Diesler
Assigned To: Anil Saldhana
Fix For: JBossAS-5.0.0.Beta3
Attachments: test.war
The generated web.xml contains CONFIDENTIAL. Access via http:// should be denied.
This woks in Branch_4_0
/home/tdiesler/svn/jbossws/trunk/src/test
[tdiesler@tdvaio test]$ ant -Dtest=org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
one-test
one-test:
[junit] Running org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
[junit] Tests run: 5, Failures: 1, Errors: 0, Time elapsed: 5.452 sec
[junit] Test org.jboss.test.ws.samples.secureejb.SecureEJBTestCase FAILED
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:45 p.m.
New subject: [JBoss JIRA] Commented: (JBAS-3595) Tomcat allows http access with transport guarantie CONFIDENTIAL
[ http://jira.jboss.com/jira/browse/JBAS-3595?page=comments#action_12390534 ]
Anil Saldhana commented on JBAS-3595:
-------------------------------------
I merged the JBossSecurityMgrRealm and JaccAuthorizationRealm into one JBossWebRealm such
that the authorization aspects are plugged in via authorization modules (just like PAM).
I have a bug in hasUserDataPermission such that the authorizationMgr returns true by
default (such that the decision of the RealmBase is final). Since ok=true, the realmbase
was never consulted.
The correct logic is as in hasResourcePermission wherein authorizationdecisions can be
done by the authorization framework (eg. Jacc logic).
I will fix it.
Tomcat allows http access with transport guarantie CONFIDENTIAL
---------------------------------------------------------------
Key: JBAS-3595
URL: http://jira.jboss.com/jira/browse/JBAS-3595
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Reporter: Thomas Diesler
Assigned To: Anil Saldhana
Fix For: JBossAS-5.0.0.Beta3
Attachments: test.war
The generated web.xml contains CONFIDENTIAL. Access via http:// should be denied.
This woks in Branch_4_0
/home/tdiesler/svn/jbossws/trunk/src/test
[tdiesler@tdvaio test]$ ant -Dtest=org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
one-test
one-test:
[junit] Running org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
[junit] Tests run: 5, Failures: 1, Errors: 0, Time elapsed: 5.452 sec
[junit] Test org.jboss.test.ws.samples.secureejb.SecureEJBTestCase FAILED
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:23 p.m.
New subject: [JBoss JIRA] Resolved: (JBAS-3595) Tomcat allows http access with transport guarantie CONFIDENTIAL
[ http://jira.jboss.com/jira/browse/JBAS-3595?page=all ]
Anil Saldhana resolved JBAS-3595.
---------------------------------
Resolution: Done
revision 67907 should fix this.
Please test this and close the issue.
Tomcat allows http access with transport guarantie CONFIDENTIAL
---------------------------------------------------------------
Key: JBAS-3595
URL: http://jira.jboss.com/jira/browse/JBAS-3595
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Reporter: Thomas Diesler
Assigned To: Anil Saldhana
Fix For: JBossAS-5.0.0.Beta3
Attachments: test.war
The generated web.xml contains CONFIDENTIAL. Access via http:// should be denied.
This woks in Branch_4_0
/home/tdiesler/svn/jbossws/trunk/src/test
[tdiesler@tdvaio test]$ ant -Dtest=org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
one-test
one-test:
[junit] Running org.jboss.test.ws.samples.secureejb.SecureEJBTestCase
[junit] Tests run: 5, Failures: 1, Errors: 0, Time elapsed: 5.452 sec
[junit] Test org.jboss.test.ws.samples.secureejb.SecureEJBTestCase FAILED
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6234
days inactive
6693
days old
7 comments
5 participants
participants (5)
-
Anil Saldhana (JIRA) -
Dimitris Andreadis (JIRA) -
Dimitris Andreadis (JIRA)
-
Remy Maucherat (JIRA)
-
Thomas Diesler (JIRA)