web.xml security configuration
Hi there
Running 1.0 Beta2 server on Linux RHEL5. Security is presently set to defaults i.e. the web.xml has not been edited to force security on as described in the TeamServer Setup Guide. i.e my web.xml looks like this: <web-resource-collection> <web-resource-name>secure</web-resource-name> <url-pattern>/secure/*</url-pattern> </web-resource-collection> I notice that the WebUI is secured and requires a login with a valid userid and password, while the RTC IDE can login with any password (!!!) although the userid must be defined. The RTC IDE is using a URI like https://servername:9443/jazz/ It seems odd that the RTC can connect with any password but the Web UI can't ? I should mention that I'm using : WAS 6.1 DB2 9.5 Federated LDAP The server is using a self-signed SSL certificate (hmmm) FWIW: I edited the web.xml as documented to turn on security following the TeamServer Setup Guide. The Web UI continued to work as before but the RTC IDE couldn't connect at all; kept getting HTTP 302 errors no matter what userid/password I used. Any help appreciated |
7 answers
I'm getting the exact same behaviour.
Funny thing is I noticed this while creating a new user with the web api (logged in as ADMIN). I was thinking "hey, it never asked me for the password for this new user." End result is that using TeamConcert client I can connect as any defined user with any (or no) password. Yikes. |
|
Thanks ... I was beginning to think I was the only one !
I'm pretty sure this is related to my WAS setup. I may try a test install using Tomcat just to see. kenbauer wrote: I'm getting the exact same behaviour. |
|
No, it is not just WAS. I am using the standard install with Tomcat and get this behaviour. Even with the ADMIN account. Passwords are checked through the web interface but not at all when using the TeamConcert client (under Mac at least).
I also tested this with a Windows Client (same). I submitted a bug report at: https://jazz.net/jazz/web/projects/Jazz%20Project#action=com.ibm.team.workitem.viewWorkItem&id=41132 Thanks ... I was beginning to think I was the only one ! |
|
Okay, turns out reading the manual (and following it to be more specific) helps.
The changes to jazz/server/tomcat/webapps/jazz/WEB-INF/web.xml really need to be done as specified in the install document for the server in the "Manage Jazz Security" section. I still think the text there is misleading. I was thinking that section was solely about removing the non-SSL port. - Ken No, it is not just WAS. I am using the standard install with Tomcat and get this behaviour. Even with the ADMIN account. Passwords are checked through the web interface but not at all when using the TeamConcert client (under Mac at least). |
|
|
I changed the text on this item: https://jazz.net/jazz/web/projects/Jazz%20Project#action=com.ibm.team.workitem.viewWorkItem&id=41132
I'll wait for triage on that and what happens first. Cheers, Ken
|
|
I agree that the doc section needs some clarification. So, is the
consensus that, unless you do that web.xml editing, that Jazz won't verify RTC passwords at all, and that this behavior is correct ? Unfortunately, due to the other problem I mentioned, I can't turn on security. Dave kenbauer wrote: Okay, turns out reading the manual (and following it to be more |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.