You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-dev@portals.apache.org by "Ate Douma (JIRA)" <je...@portals.apache.org> on 2011/09/23 13:38:26 UTC

[jira] [Updated] (JS2-1258) Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin user

     [ https://issues.apache.org/jira/browse/JS2-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ate Douma updated JS2-1258:
---------------------------

    Summary: Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin user  (was: Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin and manager role users )

> Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin user
> -----------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: JS2-1258
>                 URL: https://issues.apache.org/jira/browse/JS2-1258
>             Project: Jetspeed 2
>          Issue Type: Improvement
>          Components: Assembly/Configuration, Deployment, Installer, Security
>    Affects Versions: 2.2.1
>            Reporter: Ate Douma
>             Fix For: 2.2.2
>
>
> The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
> However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
> To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.
> To this end, the default/demo configuration will be changed to:
> a) Require demo admin user to change the password on first use (for all demo variants, some already have this but not yet all)
> b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet
> - no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
> - in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org