portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] [Updated] (JS2-1258) Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin and manager role users
Date Fri, 23 Sep 2011 11:24:26 GMT

     [ https://issues.apache.org/jira/browse/JS2-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Ate Douma updated JS2-1258:
---------------------------

    Description: 
The Jetspeed demo installer uses a convenient default username/password configuration which
makes it easy for end-users to get started.
However this also poses a potential security risk if some "type" of users would blindly install
this in a public accessible way, without adjusting the default configuration.
To protect such users from hurting themselves, we must force them to make this an explicit
choice, and by default only provide a restricted (limited) configuration.

To this end, the default/demo configuration will be changed to:

a) Require demo admin user to change the password on first use (for all demo variants, some
already have this but not yet all)

b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement
portlet
- no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
- in jetspeed.properties the example Tomcat Manager username/password will now by default
empty (undefined)


  was:
The Jetspeed demo installer uses a convenient default username/password configuration which
makes it easy for end-users to get started.
However this also poses a potential security risk if some "type" of users would blindly install
this in a public accessible way, without adjusting the default configuration.
To protect such users from hurting themselves, we must force them to make this an explicit
choice, and by default only provide a restricted (limited) configuration.

To this end, the default/demo configuration will be changed to:

a) Require demo admin user to change the password on first use (for all demo variants, some
already have this but not yet all)
b) Access to the PortletApplicationManager j2-admin page will be further restricted to admin
role user only (currently restricted to managers)

b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement
portlet
- no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
- in jetspeed.properties the example Tomcat Manager username/password will now by default
empty (undefined)



> Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat
Manager and force change password on demo admin and manager role users 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: JS2-1258
>                 URL: https://issues.apache.org/jira/browse/JS2-1258
>             Project: Jetspeed 2
>          Issue Type: Improvement
>          Components: Assembly/Configuration, Deployment, Installer, Security
>    Affects Versions: 2.2.1
>            Reporter: Ate Douma
>             Fix For: 2.2.2
>
>
> The Jetspeed demo installer uses a convenient default username/password configuration
which makes it easy for end-users to get started.
> However this also poses a potential security risk if some "type" of users would blindly
install this in a public accessible way, without adjusting the default configuration.
> To protect such users from hurting themselves, we must force them to make this an explicit
choice, and by default only provide a restricted (limited) configuration.
> To this end, the default/demo configuration will be changed to:
> a) Require demo admin user to change the password on first use (for all demo variants,
some already have this but not yet all)
> b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement
portlet
> - no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
> - in jetspeed.properties the example Tomcat Manager username/password will now by default
empty (undefined)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message