portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Watler <rwat...@finali.com>
Subject Re: J2 Customizer Issues
Date Mon, 22 Nov 2004 17:48:42 GMT

I see the security stuff is working for you, :).

See inline comments below:


Ate Douma wrote:

>Is a message missing from the list or did you get a message from 'David'
Yes, David sent a message to Scott and I wonding about issues he was 
having with the Customizer.

>I'd like to add another problem I encountered. Because the guest user now is
>a proper user, we should think of some way to disallow login to this user
>as it is meant to be used as buildin/internal user only.
>A simple solution to that would be setting the user is_enabled flag to
>false, but that still leaves the possibility someone enables it again
>through the UserManager.
>I personally would like to see a stronger protection against login of this
>user. This could be done by adding one more boolean attribute to the
>security_credential table (like is_buildin) or a hardcoded check in the
>UserManager.authenticate against the anonymous username. This name
>(default 'guest') is now managed by the Profiler though, so maybe we
>should move it to the UserManager then.
+1, seems like a good idea to limit the login.

>Another issue: the security rules on the Administrative folder won't allow
>a non-admin user to change its password. I will move the
>change-password.psml into the root folder to fix this.
I checked in this change to restrict access to the Administrative 
folder, but I did not spend a whole bunch of time to reorganize the demo 
site to make sense. David has mentioned over and over again that he was 
going to go for it one of these days, so I left it to him. Of course, 
change password needs to be available to every user! Sorry if this 
caused you too much grief...

>If time permits, I will also check in tonight the second part of my
>JS2-151 issue containing enforced password change on first login. This
>includes automatic navigation to the Change Password psml with no way to
>navigate from it until the password is changed (logoff is still a way out
>Also included is a configurable set of days before password expiration
>when a user will be asked to change its password. The last day before
>expiration will require the password to be changed.
>These features are currently *not* (longer) working though as result of the
>new 'guest' user configuration which now *also* is required to change its
>password, even if this user isn't logged on at all.
>Kinda blocking problem :(
>I need this handled before I will check in my changes.
Thanks for the notice. I will hold off on upgrading my production site 
until we get this worked out.


To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

View raw message