The deployment descriptor (web.xml) of picketlink-sts.war in the
security_saml quickstart, the webservice_proxy_security quickstart, and
some of the included web applications (web-console, http-invoker, gpd-deployer, jbpm-console, contract, and uddi-console), contained a configuration that could allow an attacker to bypass the application's security with a crafted HTTP request. To resolve these issues, the following lines have been removed from the web.xml files of the affected quickstarts and applications:
If the security_saml quickstart was used to create another application,
then that new application will need to be reviewed to ensure it does not
have this issue.
These issues were fixed by the 5.0.2 release of the JBoss Enterprise SOA Platform, available for download from the Red Hat Customer Portal:
The JBoss Enterprise SOA Platform 5.0.2 Release Notes are available from http://www.redhat.com/docs/en-US/JBoss_SOA_Platform/5.0.2/html/5.0.2_Release_Notes/index.html