You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Kevan Miller (JIRA)" <de...@geronimo.apache.org> on 2005/12/19 23:10:30 UTC
[jira] Created: (GERONIMO-1394) JMX Debug Console should require admin-level authentication
JMX Debug Console should require admin-level authentication
-----------------------------------------------------------
Key: GERONIMO-1394
URL: http://issues.apache.org/jira/browse/GERONIMO-1394
Project: Geronimo
Type: Bug
Components: management
Versions: 1.0
Environment: 1.0 RC
Reporter: Kevan Miller
Fix For: 1.1
The debug console does not require user authentication. Since MBean attributes can provide configuration and security information about a server that should not be public knowledge, by default, the debug console should require admin-level authentication.
I didn't see anything too sensitive in my sampling of MBean attributes... Whoops, I spoke too soon. Here are the attributes for the DirectoryService (note the credentials attribute)...
ObjectName: geronimo.server:name=DirectoryService
ClassName: org.apache.geronimo.directory.DirectoryGBean
State: running
Attributes
Name Value
anonymousAccess true
configFile (null)
enableNetworking true
host 0.0.0.0
port 1389
providerURL ou=system
securityAuthentication simple
securityCredentials secret
securityPrincipal uid=admin,ou=system
workingDir (null)
There's been talk of incorporating debug console into the admin console -- which i would support and would presumably address the problem... However, in the meantime, we may want/need to nail down the current debug console...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (GERONIMO-1394) JMX Debug Console should require
admin-level authentication
Posted by "Matt Hogstrom (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1394?page=all ]
Matt Hogstrom updated GERONIMO-1394:
------------------------------------
Fix Version/s: Wish List
(was: 1.2)
> JMX Debug Console should require admin-level authentication
> -----------------------------------------------------------
>
> Key: GERONIMO-1394
> URL: http://issues.apache.org/jira/browse/GERONIMO-1394
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: management
> Affects Versions: 1.0
> Environment: 1.0 RC
> Reporter: Kevan Miller
> Fix For: Wish List
>
>
> The debug console does not require user authentication. Since MBean attributes can provide configuration and security information about a server that should not be public knowledge, by default, the debug console should require admin-level authentication.
> I didn't see anything too sensitive in my sampling of MBean attributes... Whoops, I spoke too soon. Here are the attributes for the DirectoryService (note the credentials attribute)...
> ObjectName: geronimo.server:name=DirectoryService
> ClassName: org.apache.geronimo.directory.DirectoryGBean
> State: running
> Attributes
> Name Value
> anonymousAccess true
> configFile (null)
> enableNetworking true
> host 0.0.0.0
> port 1389
> providerURL ou=system
> securityAuthentication simple
> securityCredentials secret
> securityPrincipal uid=admin,ou=system
> workingDir (null)
> There's been talk of incorporating debug console into the admin console -- which i would support and would presumably address the problem... However, in the meantime, we may want/need to nail down the current debug console...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (GERONIMO-1394) JMX Debug Console should require
admin-level authentication
Posted by "Kevan Miller (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/GERONIMO-1394?page=all ]
Kevan Miller closed GERONIMO-1394.
----------------------------------
Resolution: Won't Fix
There isn't a debug console any longer...
> JMX Debug Console should require admin-level authentication
> -----------------------------------------------------------
>
> Key: GERONIMO-1394
> URL: http://issues.apache.org/jira/browse/GERONIMO-1394
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: management
> Affects Versions: 1.0
> Environment: 1.0 RC
> Reporter: Kevan Miller
> Fix For: Wish List
>
>
> The debug console does not require user authentication. Since MBean attributes can provide configuration and security information about a server that should not be public knowledge, by default, the debug console should require admin-level authentication.
> I didn't see anything too sensitive in my sampling of MBean attributes... Whoops, I spoke too soon. Here are the attributes for the DirectoryService (note the credentials attribute)...
> ObjectName: geronimo.server:name=DirectoryService
> ClassName: org.apache.geronimo.directory.DirectoryGBean
> State: running
> Attributes
> Name Value
> anonymousAccess true
> configFile (null)
> enableNetworking true
> host 0.0.0.0
> port 1389
> providerURL ou=system
> securityAuthentication simple
> securityCredentials secret
> securityPrincipal uid=admin,ou=system
> workingDir (null)
> There's been talk of incorporating debug console into the admin console -- which i would support and would presumably address the problem... However, in the meantime, we may want/need to nail down the current debug console...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira