[
https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14008991#comment-14008991
]
Harry Metske commented on JSPWIKI-212:
--------------------------------------
Yes I understand what SSL (https) does. But what I tried to explain is that
JSPWiki is not secure OOTB. A vanilla JSPWiki does not force the use of
https (the transport-guarantee CONFIDENTIAL element in web.xml is commented
out), yet we do use userids/passwords crossing unencrypted over the wire.
But once you want you start using container A&A we "default" to ssl/https,
that sounds a bit odd and that's why I agree with Jurgen.
regards,
Harry
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication & Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Assignee: Andrew Jaquith
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to
> JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes
> activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the
> cited error message and the user-data-constraint element.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
