You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@sling.apache.org by Roy Teeuwen <ro...@teeuwen.be> on 2016/10/04 14:44:36 UTC

Authentication handler

Hey all,

When starting up our sling instance, if you go to /system/console in the VERY beginning (like 1-3 seconds after doing a startup), it is possible to log in with admin/admin, even when the admin password has been changed to something else. 
What bundle has to come active for this hardcoded default login not to work anymore?

Greetings,
Roy

Re: Authentication handler

Posted by Roy Teeuwen <ro...@teeuwen.be>.

Hey Stefan,

Thanks! Exactly what I was looking for then ;)

Greets,
Roy
> On 4 Oct 2016, at 17:22, Stefan Seifert <ss...@pro-vision.de> wrote:
> 
> when the repository is up and running the repository authentication is used for web console as well.
> but during startup phase, or when the repository is down/unavailable the authentication built into the web console itself takes place.
> 
> you need to change the admin password in the osgi config "Apache Felix OSGi Management Console" as well. esp. on production systems or you have a security leak if the repository is not available for whatever reason.
> 
> stefan
> 
>> -----Original Message-----
>> From: Roy Teeuwen [mailto:roy@teeuwen.be]
>> Sent: Tuesday, October 4, 2016 4:45 PM
>> To: users@sling.apache.org
>> Subject: Authentication handler
>> 
>> Hey all,
>> 
>> When starting up our sling instance, if you go to /system/console in the
>> VERY beginning (like 1-3 seconds after doing a startup), it is possible to
>> log in with admin/admin, even when the admin password has been changed to
>> something else.
>> What bundle has to come active for this hardcoded default login not to work
>> anymore?
>> 
>> Greetings,
>> Roy
>

Re: Authentication handler

Posted by Julian Sedding <js...@gmail.com>.

It's a SHA-256 hash since the changes for FELIX-4299 were committed[0].

Regards
Julian

[0] https://github.com/apache/felix/commit/22e313eadf4dc323a1ed364f20f3fb4dfc1f6791

On Tue, Oct 4, 2016 at 5:54 PM, Rob Ryan <rr...@adobe.com> wrote:
> Does the webconsole authentication store the password hashed or plaintext?
>
> -Rob
>
>
> On 10/4/16, 8:22 AM, "Stefan Seifert" <ss...@pro-vision.de> wrote:
>
>     when the repository is up and running the repository authentication is used for web console as well.
>     but during startup phase, or when the repository is down/unavailable the authentication built into the web console itself takes place.
>
>     you need to change the admin password in the osgi config "Apache Felix OSGi Management Console" as well. esp. on production systems or you have a security leak if the repository is not available for whatever reason.
>
>     stefan
>
>     >-----Original Message-----
>     >From: Roy Teeuwen [mailto:roy@teeuwen.be]
>     >Sent: Tuesday, October 4, 2016 4:45 PM
>     >To: users@sling.apache.org
>     >Subject: Authentication handler
>     >
>     >Hey all,
>     >
>     >When starting up our sling instance, if you go to /system/console in the
>     >VERY beginning (like 1-3 seconds after doing a startup), it is possible to
>     >log in with admin/admin, even when the admin password has been changed to
>     >something else.
>     >What bundle has to come active for this hardcoded default login not to work
>     >anymore?
>     >
>     >Greetings,
>     >Roy
>
>
>

Re: Authentication handler

Posted by Rob Ryan <rr...@adobe.com>.

Does the webconsole authentication store the password hashed or plaintext?

-Rob


On 10/4/16, 8:22 AM, "Stefan Seifert" <ss...@pro-vision.de> wrote:

    when the repository is up and running the repository authentication is used for web console as well.
    but during startup phase, or when the repository is down/unavailable the authentication built into the web console itself takes place.
    
    you need to change the admin password in the osgi config "Apache Felix OSGi Management Console" as well. esp. on production systems or you have a security leak if the repository is not available for whatever reason.
    
    stefan
    
    >-----Original Message-----
    >From: Roy Teeuwen [mailto:roy@teeuwen.be]
    >Sent: Tuesday, October 4, 2016 4:45 PM
    >To: users@sling.apache.org
    >Subject: Authentication handler
    >
    >Hey all,
    >
    >When starting up our sling instance, if you go to /system/console in the
    >VERY beginning (like 1-3 seconds after doing a startup), it is possible to
    >log in with admin/admin, even when the admin password has been changed to
    >something else.
    >What bundle has to come active for this hardcoded default login not to work
    >anymore?
    >
    >Greetings,
    >Roy

RE: Authentication handler

Posted by Stefan Seifert <ss...@pro-vision.de>.

when the repository is up and running the repository authentication is used for web console as well.
but during startup phase, or when the repository is down/unavailable the authentication built into the web console itself takes place.

you need to change the admin password in the osgi config "Apache Felix OSGi Management Console" as well. esp. on production systems or you have a security leak if the repository is not available for whatever reason.

stefan

>-----Original Message-----
>From: Roy Teeuwen [mailto:roy@teeuwen.be]
>Sent: Tuesday, October 4, 2016 4:45 PM
>To: users@sling.apache.org
>Subject: Authentication handler
>
>Hey all,
>
>When starting up our sling instance, if you go to /system/console in the
>VERY beginning (like 1-3 seconds after doing a startup), it is possible to
>log in with admin/admin, even when the admin password has been changed to
>something else.
>What bundle has to come active for this hardcoded default login not to work
>anymore?
>
>Greetings,
>Roy