W3C home > Mailing lists > Public > www-jigsaw@w3.org > July to August 2001

Re: Jigsaw realm authentication

From: Yves Lafon <ylafon@w3.org>
Date: Tue, 21 Aug 2001 19:05:01 +0200 (MET DST)
To: Milum Software <shayes@milum.com>
cc: <www-jigsaw@w3.org>
Message-ID: <Pine.GSO.4.33.0108211859220.2458-100000@tarantula.inria.fr>
On Tue, 21 Aug 2001, Milum Software wrote:

> I'm using Jigsaw version 2.0.5 server on Windows 98 and NT and when I use
> the Jigsaw realm authentication it works fine as long as the user uses an
> upper case letter for the directory I need to authorize access to.
>
> On my server I have a directory "Calendars" full path would be
> "http://192.168.1.7/Calendars" that I have set to request authorization
> before allowing a user to browse to the directory. This works great except
> if the user types a lower case "calendar" "http://192.168.1.7/calendars"
> which lets the user in with out authorization. If anyone could give me any
> info on this problem it would be great. This is a big security hole for us.

It happens because Windows is not case sensitive to access directories, go
to Properties->General then set "Check Sensitivity" to false.
It should fix this problem.
Note that in your example a distinct container "calendars" has been
created, so you need to remove it before.

There was also a similar problem ("backdoor" to access a protected
resource) but due to another thing, involving content-negotiation, for
this you can try to use a zip available from
http://jigsaw.w3.org/Devel/classes-2.0/20010821/jigsaw.zip
(I just backported what is in 2.1).

-- 
Yves Lafon - W3C
"Baroula que barouleras, au tiéu toujou t'entourneras."
Received on Tuesday, 21 August 2001 13:05:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 9 April 2012 12:13:35 GMT