DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=35466>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=35466 Summary: Security system does not work as "documented" Product: Slide Version: 2.1 Platform: Other OS/Version: Windows 2000 Status: NEW Severity: normal Priority: P2 Component: Security AssignedTo: slide-dev@jakarta.apache.org ReportedBy: [EMAIL PROTECTED] PROCEDURE: 1: Install Slide WAR and Slide document WAR file on Tomcat 2: Start Tomcat 3: In the browser, go to the main slide documentation page (Assuming we are using Port 8080, we go to: http://localhost:8080/slide-doc) Note that the Slide documentation identifies 4 standard users that come with Slide: root, john, john2, and guest. The documentation suggests that you should be able to log in as root. 4. Follow the instructions given in http://localhost:8080/slide-doc/howto- acl.html to enable athentication on Slide. 5: Attempt to follow the instructions for creating a user as given on the page: http://localhost:8080/slide-doc/howto-create-users.html (alternatively, go to http://jakarta.apache.org/slide/howto-create-users.html since the pages are the same). 5a. Download and install the DAVExplorer application 5b. Run DAVExplorer 5c. Attempt to connect to localhost:8080/slide PROBLEM 1: The root login and password does not work. You cannot log in to Slide's resources at all! 6. Go to Apache Foundation's Bugzilla, search through Slide's open bugs for the keyword "login" 7. Read bug #22409 NOTE: Bug 22409 talks about adding usernames to the tomcat-users.xml file in order to log in to Slide. Nowhere in Slide's configuration docmentation is there mention of needing to edit anything other than the web.xml file (for enabling authentication) and the Domain.xml file (for user information and properties). This is just one aspect of some serious documentation bugs which will be entered seperately into this Bugzilla system. 8. Based on information in Bug #22409, edit the tomcat-users.xml file and add entries for "root" and "john2". 9. Restart Tomcat and DAV Explorer 10. Log in to Slide (this time, the login works) 11. Attempt to add a user as instructed in http://localhost:8080/slide- doc/howto-create-users.html. 12. Restart Tomcat. 13. Restart DAV Explorer 14. Attempt to log in as the new user. PROBLEM 2: Login FAILS. Apparently, changes made following the user instruction DO NOT WORK. 15. Add a new entry for "test" in the tomcat-users.xml directory. 16. Restart everything and attempt to log in as the new user (test) again. PROBLEM 3: Login succeeds. This indicates that the security system does not work as "documented". According to the "documentation", users are added through entries in the /slide/users directory, and the entries in the Domain.xml file handle the user' permissions and passwords. In actuality, it is the tomcat-users.xml file that actually creates users recognized by Slide. The users, passwords, and roles entered into that file determine who can log in and what their permissions are. Roles defined in Domain.xml seem to work, though, and testing shows that you do apparently need to define entries for a user's permissions in Domain.xml in order to log in without errors (Note: creating a new user accordig to the instructions in http://localhost:8080/slide-doc/howto-create-users.html doesn't work at all because the system apparently ignores any changes made to properties that aren't done through editing Domain.xml). The bottom line is that Slide's security system does not work as it is currently documented. The documentation is abysmal as it is, but the fact that it is also inaccurate does not help matters. Either this system must be fixed so that it operates as "documented", or the documentation needs to be changed. The way things are now is unacceptable. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]