portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] [Created] (JS2-1258) Secure default Jetspeed demo installer configuration requiring end user to provide admin passwords and choice of enabling the usage of the Tomcat manager
Date Thu, 22 Sep 2011 14:14:26 GMT
Secure default Jetspeed demo installer configuration requiring end user to provide admin passwords
and choice of enabling the usage of the Tomcat manager  
-----------------------------------------------------------------------------------------------------------------------------------------------------------

                 Key: JS2-1258
                 URL: https://issues.apache.org/jira/browse/JS2-1258
             Project: Jetspeed 2
          Issue Type: Improvement
          Components: Installer
    Affects Versions: 2.2.1
            Reporter: Ate Douma
             Fix For: 2.2.2


The Jetspeed demo installer uses a convenient default username/password configuration which
makes it easy for end-users to get started.
However this also poses a potential security risk if some "type" of users would blindly install
this in a public accessible way, without adjusting the default configuration.
To protect such users from hurting themselves, we must force them to make this an explicit
choice, and by default only provide a restricted (limited) configuration.

To this end, the Installer will be modified to:

a) Require the installing user to specify a password for the Jetspeed Portal admin user

b) Make enabling the usage of the Tomcat manager optional and disabled by default
The Tomcat manager is needed by the Portlet Application Manager to start/stop/delete Portlet
Applications.
To enable the usage of the Tomcat manager, installing user is required to specify (both) the
Tomcat user name and password to be granted the Tomcat "manager" role.
If no username/password is provided, no Tomcat user will be enabled and thus usage of the
Tomcat manager not possible. 

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message