Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.1.3, 2.1.4, 2.2
-
Security Level: public (Regular issues)
-
None
Description
for quite a while we have only allowed you to deploy a web app with security constraints if you also supply a geronimo security configuration; otherwise you get no security constraints at all. We should be doing the same for ejb apps. While this may be inconvenient for those who want to try deploying an app without completing the configuration, the alternative is to give the impression that the deployed app is enforcing the security constraints – which it is not.
I suppose an alternative might be to figure out a way to deploy and just forbid access to any resources that are constrained.