[
https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14009551#comment-14009551
]
Glen Mazza commented on JSPWIKI-212:
------------------------------------
Oh, now I remember, there is a difference between Roller and JSPWiki CMA.
Roller's configuration is really just for SSL, it doesn't use any usernames and
passwords in the tomcat-users.xml file, that stuff is still stored in Roller's
database (MySQL or Derby or whatever). A compromised username/password would
just affect the Roller web application.
JSPWiki, however, *would* use the usernames and passwords in the tomcat-users
for its CMA, if that information were compromised an attacker could get control
of the Tomcat servlet container if the usernames and passwords were configured
poorly enough. (E.g., users were lazily given Tomcat manager roles). I would
think by default this should be encrypted via SSL so the data in the
tomcat-users.xml never gets compromised.
A newbie user (or one who hasn't much time to research secure installations)
isn't going to be using Tomcat CMA but the default userdatabase and
groupdatabase.xml approach. So we already have a nice simple OOTB solution
that doesn't require much effort. I would think though that if one wishes to
graduate onto Tomcat CMA that the SSL should be activated by default. If this
is causing a user too much heartache (he can't understand how to deactivate it
or is uncertain how to activate SSL in his servlet container) at that stage it
would be good for the user to study up on SSL or retreat back to the simpler
userdatabase/groupdatabase approach.
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication & Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Assignee: Andrew Jaquith
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to
> JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes
> activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the
> cited error message and the user-data-constraint element.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
