We get an directory listing for
http://localhost:9090/images/
http://localhost:9090/style/
http://localhost:9090/js/
and *.css, *.js and image files can be accessed without exclusion.
AuthCheck is only applied to *.jsp files.
We should apply the filter to everything:
<filter-mapping>
<filter-name>AuthCheck</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
and then create a whitelist for everything that is requried for login. For the last two I’m not sure if this is required.
<filter>
<filter-name>AuthCheck</filter-name>
<filter-class>org.jivesoftware.admin.AuthCheckFilter</filter-class>
<init-param>
<param-name>excludes</param-name>
<param-value>
/login.jsp,
/style/global.css,
/style/login.css,
/images/login_logo.gif,
/images/error-16x16.gif,
/images/jive-login-form-bg-gray.gif,
/images/jive-login-bg.gif,
/error-serverdown.jsp,
/setup/clearspace-integration-prelogin.jsp
</param-value>
</init-param>
</filter>
For AuthCheckFilter we take the following, so setup will work.
String srvpath = request.getServletPath();
boolean doExclude = XMPPServer.getInstance().isSetupMode() || excludes.contains(srvpath);
However, for some strage reason setup does not work for me, but it is possible that is some other problem not related with that change.
java.lang.NullPointerException
at org.jivesoftware.openfire.admin.index_jsp._jspService(index_jsp.java:131)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
(...)
Message was edited by: Coolcat