This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Summary: | UserNameToken: secured WS can be accessed without valid username/password | ||
---|---|---|---|
Product: | serverplugins | Reporter: | Andrey Yamkovoy <kaktus> |
Component: | Identity | Assignee: | issues@serverplugins <issues> |
Status: | VERIFIED FIXED | ||
Severity: | blocker | ||
Priority: | P1 | ||
Version: | 5.x | ||
Hardware: | All | ||
OS: | All | ||
Issue Type: | DEFECT | Exception Reporter: | |
Attachments: |
Deployment output
AS log |
Description
Andrey Yamkovoy
2007-02-08 13:00:56 UTC
Created attachment 38234 [details]
Deployment output
Created attachment 38235 [details]
AS log
I can't reproduce the problem. The exception in the deployment log indicates there is some issue connecting to the access manager. The behaviour you saw might be a side-effect of that. Please try to come up with a reproducible step for creating the exception you saw in the deployment log. It looks like the empty username corrupted the agent file for the client under the amflatfiledir/amserver/idrepo/agent directory. I think this is what caused the exception at deployment time. It also looks like the AM authentication provider simply uses the default client agent file (wscWSC) which contains the default testuser. I'll file a bug against the access manager. Meanwhile, on our side, I'll append an empty space to the empty username to plug the security leak. Checked in a fix to prevent users from exploiting this security hole caused by an empty username. Verified. |