Bug 777747 (SOA-262)

Summary: jBPM GPD requires http://127.0.0.1:8080/jbpm-console/upload/ to not require username/password authentication
Product: [JBoss] JBoss Enterprise SOA Platform 4 Reporter: Len DiMaggio <ldimaggi>
Component: SecurityAssignee: Mike Brock <cbrock>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 4.2 Beta 1CC: rruss
Target Milestone: ---   
Target Release: 4.2 CR2   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-262
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
standalone-soa-4.2.0.beta1.zip soa-4.2.0.beta1.zip
Last Closed: 2008-02-04 16:30:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 777801, 777988    

Description Len DiMaggio 2008-01-02 20:50:32 UTC
Link type: Superset, Source: SOA-262, Destination: SOA-270
Affects: Documentation (Ref Guide, User Guide, etc.)
Date of First Response: 2008-01-14 20:13:54
project_key: SOA

Marc Schoenefeld pointed this out ot me today:

Do you know why the GUI access to the JBPM console over http://127.0.0.1:8080/jbpm-console/ is protected with
form-based authentication, whereas the upload via http://127.0.0.1:8080/jbpm-console/upload/ is not?

Comment 2 Len DiMaggio 2008-01-03 18:29:59 UTC
Link: Added: This issue related SOA-265


Comment 3 Mark Little 2008-01-07 21:59:23 UTC
Link: Added: This issue incorporates SOA-270


Comment 4 Len DiMaggio 2008-01-08 02:35:23 UTC
Link: Added: This issue is related to SOA-265


Comment 5 Len DiMaggio 2008-01-08 02:35:46 UTC
Link: Removed: This issue is related to SOA-265 


Comment 6 Mike Brock 2008-01-15 01:13:54 UTC
I'm not sure.  It would seem pretty bad to me.  One could potentially do some pretty nasty stuff, such as filling up a hard drive with, random frivolous uploads.  Such a hole wouldn't even pass a sniff-test by most companies serious about security, so I think this needs to be escalated into jBPM itself. 

This is a pretty serious problem.

Is there a related jBPM JIRA open yet, if there isn't, there should be.




Comment 7 Mark Little 2008-01-15 08:13:11 UTC
Yes, SOA-265.

Comment 8 Mark Little 2008-01-15 14:38:37 UTC
Link: Added: This issue is a dependency of SOA-327


Comment 9 Joshua Wulf 2008-01-15 17:20:14 UTC
Affects: Added: [Documentation (Ref Guide, User Guide, etc.)]


Comment 10 Mike Brock 2008-01-25 19:25:59 UTC
fixed in trunk

Comment 12 Len DiMaggio 2008-04-15 17:52:49 UTC
Link: Added: This issue is a dependency of SOA-515


Comment 13 Thomas Diesler 2009-02-07 10:45:52 UTC
Link: Added: This issue is related to JBPM-1958