You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Stefan Guggisberg (JIRA)" <ji...@apache.org> on 2006/03/13 15:06:10 UTC
[jira] Commented: (JCR-351) Default to superuser access when JAAS
is not configured
[ http://issues.apache.org/jira/browse/JCR-351?page=comments#action_12370183 ]
Stefan Guggisberg commented on JCR-351:
---------------------------------------
the JAAS configuration is not required. the automatic configuration should default to:
<LoginModule class="org.apache.jackrabbit.core.security.SimpleLoginModule"/>
SimpleLoginModule used with SimpleAccessManager provides full read/write access
for arbitrary credentials, out of the box.
> Default to superuser access when JAAS is not configured
> -------------------------------------------------------
>
> Key: JCR-351
> URL: http://issues.apache.org/jira/browse/JCR-351
> Project: Jackrabbit
> Type: Improvement
> Components: security
> Versions: 0.9
> Reporter: Jukka Zitting
> Priority: Minor
>
> Even though JCR-348 made easier to start a Jackrabbit repository with default configuration, the user still needs to take care of the JAAS configuration. It would be more user-friendly to log a warning and default to superuser access rather than throwing a LoginException when JAAS has not been configured. This behaviour should be limited to only default credential logins (Session.login() with null Credentials) and it should be possible to disable it with a configuration option. We could even have this behaviour disabled by default, but enabled in the configuration file used with the JCR-348 automatic configuration.
> This is a case against the "secure by default" design principle, but I think that in this case the benefits in easier setup outweight the security drawbacks, especially if coupled with the above restrictions and a clear documentation note about the insecure default.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira