[jboss-jira] [JBoss JIRA] Resolved: (JBPORTAL-2458) CasAuthenticationValve forces login for requests matching the /sec pattern

Sohil Shah (JIRA) jira-events at lists.jboss.org
Thu Dec 10 19:49:29 EST 2009 

     [ https://jira.jboss.org/jira/browse/JBPORTAL-2458?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sohil Shah resolved JBPORTAL-2458.
----------------------------------

    Fix Version/s: Identity-1.1
       Resolution: Done


> CasAuthenticationValve forces login for requests matching the /sec pattern
> --------------------------------------------------------------------------
>
>                 Key: JBPORTAL-2458
>                 URL: https://jira.jboss.org/jira/browse/JBPORTAL-2458
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal Security
>    Affects Versions: 2.7.2 Final
>         Environment: JBoss Portal configured with CAS and HTTPS as outlined in Chapter 1.2 of the SSO Frameworks Integration Guide
> http://docs.jboss.org/jbportal/sso/html/portal_cas.html#1.2
>            Reporter: Martin Putz
>            Assignee: Sohil Shah
>             Fix For: Identity-1.1
>
>
> The CasAuthenticationValve delegates to the CAS login for all requests that have no ticket parameter and match one of the patterns declared in the <security-constraint> elements in jboss-portal.sar/portal-server.war/WEB-INF/web.xml.
> If you click on the 'News' tab, for instance, the request goes to:
> https://localhost:8443/portal/sec/portal/default/News
> This matches the pattern defined in the following <security-constraint> section:
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Secure</web-resource-name>
>       <url-pattern>/sec/*</url-pattern>
>     </web-resource-collection>
>     <user-data-constraint>
>       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>     </user-data-constraint>
>   </security-constraint>
> As there is only a <user-data-constraint> defined, but no <auth-constraint>, requests for /sec/* should not require authentication.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list