[jira] [Commented] (JSPWIKI-212) transport-guarantee CONFIDENTIAL should be removed from web.xml

Mon, 26 May 2014 11:06:18 -0700 

    [ 
https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14008983#comment-14008983
 ] 

Glen Mazza commented on JSPWIKI-212:
------------------------------------

I'm not sure I understand your point, Harry; CMA or not, userids and passwords 
will go over the wire, yes, but in the SSL case they will be encrypted.  For 
standard userdatabase.xml, yes you will flow userid/password across the wire, 
but SSL (transport-layer encryption) will ensure that they will be encrypted.

Perhaps we need better documentation to explain how to take out the SSL, but I 
think it's kind of nice to be secure by default (with SSL) and let people 
remove security rather than add it in.  After all, if a newbie user has no clue 
to how to work with SSL on a servlet container, perhaps he shouldn't be 
deploying web applications anyway.  But I don't feel very strongly on this 
issue, indeed, the quoted statement from Juergen's last comment on Apache 
Roller came from myself--I'm OK with Roller not shipping with SSL by default, 
as our install instructions make clear it should be used if security is a 
concern.  I just assumed that the original authors of JSPWiki had a good reason 
for shipping it with SSL enabled OOTB, so didn't see a need to challenge it.

> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
>                 Key: JSPWIKI-212
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-212
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication & Authorization
>    Affects Versions: 2.6.2
>         Environment: apache-tomcat-6.0.16
>            Reporter: Jürgen Weber
>            Assignee: Andrew Jaquith
>            Priority: Minor
>
> The default web.xml of JSPWiki contains two times
>  <user-data-constraint>
>            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>        </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to 
> JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes 
> activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the 
> cited error message and the user-data-constraint element.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to