[jboss-jira] [JBoss JIRA] Created: (JBPORTAL-2458) CasAuthenticationValve forces login for requests matching the /sec pattern
Martin Putz (JIRA)
jira-events at lists.jboss.org
Tue Sep 29 04:36:49 EDT 2009
CasAuthenticationValve forces login for requests matching the /sec pattern
--------------------------------------------------------------------------
Key: JBPORTAL-2458
URL: https://jira.jboss.org/jira/browse/JBPORTAL-2458
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Portal Security
Affects Versions: 2.7.2 Final
Environment: JBoss Portal configured with CAS and HTTPS as outlined in Chapter 1.2 of the SSO Frameworks Integration Guide
http://docs.jboss.org/jbportal/sso/html/portal_cas.html#1.2
Reporter: Martin Putz
Assignee: Sohil Shah
The CasAuthenticationValve delegates to the CAS login for all requests that have no ticket parameter and match one of the patterns declared in the <security-constraint> elements in jboss-portal.sar/portal-server.war/WEB-INF/web.xml.
If you click on the 'News' tab, for instance, the request goes to:
https://localhost:8443/portal/sec/portal/default/News
This matches the pattern defined in the following <security-constraint> section:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/sec/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
As there is only a <user-data-constraint> defined, but no <auth-constraint>, requests for /sec/* should not require authentication.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list