[ http://issues.apache.org/jira/browse/AXIS2-580?page=all ]
Deepal Jayasinghe resolved AXIS2-580:
-------------------------------------
Resolution: Fixed
user will be validate before doing any admin operations
> Admin Console Security does not work at all
> -------------------------------------------
>
> Key: AXIS2-580
> URL: http://issues.apache.org/jira/browse/AXIS2-580
> Project: Apache Axis 2.0 (Axis2)
> Type: Bug
> Components: Tools
> Versions: 0.95
> Reporter: Jens Schumann
> Priority: Blocker
>
> (copy and paste from
> http://marc.theaimsgroup.com/?l=axis-dev&m=114528552707863&w=2 )
> The current admin console security implementation contains several security
> flaws:
> - The security checks itself seem to happen in the VIEW only. After
> the action was processed. So if I am not mistaken I can manually create the
> admin URLs and deactivate services and so on. (Getting a rendering error of
> course afterwards)
> - One could argue that in a production environment you will not enable the
> AdminServlet. However it seems that the current AxisServlet doGet
> implementation will forward processing to the ListingAgent if there is no
> Soap Request. Which in turn means that I can disable services without
> knowing the username/password.
> To test the bug just deploy axis2.war and request the following URL.
> http://localhost:8080/axis2/inActivateService?axisService=version&turnoff=on&submit=+In-activate+
> . version will be deactivated afterwards.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
