[ http://issues.apache.org/jira/browse/AXIS2-581?page=all ]
Jens Schumann updated AXIS2-581:
--------------------------------
Attachment: admin-fixes-patch.tar.gz
Attached another patch which fixes a bug introduced yesterday and takes care of
some of the drawbacks mentioned:
- Fixed .aar upload - due to missing commons-upload in
module/webapp/project.xml upload would fail with classnotfound.
- Renamed AxisAdminServlet mapping from /admin/ to /axis2-admin to ensure
embeddability
- Introduced error404.jsp/error500.jsp
- Introduced additional axis2.xml httpFrontendHostUrl parameter to override
autodetected request URL. This will help if you use Apache mod_proxy or https
decoding outside your web app container. Please check wether you like its name
AND behavior AND changes to axis2.xml.
- Improved frontend host autodetection, should work for root contexts too.
- Minor source cleanups.
You may now safely remove the following files
module/webapp/Error/AuthError.html
module/webapp/Error/GenError.html
Also org.apache.axis2.transport.http.server.AdminAppException should not be
required anymore.
Now if we get all that stuff documented this one can be closed. How do you want
to have those features (disableAxis Security in favor of WebSecurity,
FrontendHost) documented? ;)
> Pluggable security/authentication support
> -----------------------------------------
>
> Key: AXIS2-581
> URL: http://issues.apache.org/jira/browse/AXIS2-581
> Project: Apache Axis 2.0 (Axis2)
> Type: Wish
> Components: Tools
> Versions: 0.95
> Reporter: Jens Schumann
> Attachments: admin-console-proposal.tar.gz, admin-fixes-patch.tar.gz
>
> Right now axis2 uses a proprietary security mechanism for authenticating
> users. The current mechanism has two drawbacks:
> 1. It requires setting username/password in axis2.xml, which will be done
> BEFORE build time. Having username/passwds within a deployment units isn't
> the best way to do it.
> 2. As seen in AXIS2-580 the security check can be easily broken by new code
> in axis2.
> I recommend to rebuild the security implementation from scratch and create
> either
> A) a pluggable security mechanism that lets users replace the security
> mechanism with their own authentication mechanism or
> B) use standard web security.
> Of course B will have consequences for the current axis2.war - it won't be
> that easy to create a drop-in web archive which will work accross all web
> containers . However I would appreciate if axis2 would support it.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
