[
https://issues.apache.org/jira/browse/JSPWIKI-212?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12586267#action_12586267
]
Jürgen Weber commented on JSPWIKI-212:
--------------------------------------
Why should JSPWiki be more strict than Tomcat itself? Tomcat has SSL off by
default, which is not surprising, as you should know about SSL certificates:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
If you want to put SSL on the internet, you should get a CA issued certificate.
People who want to do all that to get SSL running certainly know how to switch
on SSL in web.xml.
So, for all other people, let's switch it off in web.xml
> transport-guarantee CONFIDENTIAL should be removed from web.xml
> ---------------------------------------------------------------
>
> Key: JSPWIKI-212
> URL: https://issues.apache.org/jira/browse/JSPWIKI-212
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.6.2
> Environment: apache-tomcat-6.0.16
> Reporter: Jürgen Weber
> Priority: Minor
>
> The default web.xml of JSPWiki contains two times
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> for container managed authorization.
> But by default Tomcat has not switched on SSL, and trying to log in to
> JSPWiki you get
> Firefox can't establish a connection to the server at localhost:8443.
> By default the user-data-constraint element should be removed as it makes
> activating container managed authorization unnecessarily difficult.
> Especially as it is not easy or obvious to notice the connection between the
> cited error message and the user-data-constraint element.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
