You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by "Matt Hogstrom (JIRA)" <ji...@apache.org> on 2006/11/17 06:47:41 UTC

[jira] Updated: (GERONIMO-1394) JMX Debug Console should require admin-level authentication

     [ http://issues.apache.org/jira/browse/GERONIMO-1394?page=all ]

Matt Hogstrom updated GERONIMO-1394:
------------------------------------

    Fix Version/s: Wish List
                       (was: 1.2)

> JMX Debug Console should require admin-level authentication
> -----------------------------------------------------------
>
>                 Key: GERONIMO-1394
>                 URL: http://issues.apache.org/jira/browse/GERONIMO-1394
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: management
>    Affects Versions: 1.0
>         Environment: 1.0 RC
>            Reporter: Kevan Miller
>             Fix For: Wish List
>
>
> The debug console does not require user authentication. Since MBean attributes can provide configuration and security information about a server that should not be public knowledge, by default, the debug console should require admin-level authentication. 
> I didn't see anything too sensitive in my sampling of MBean attributes... Whoops, I spoke too soon. Here are the attributes for the DirectoryService (note the credentials attribute)...
> ObjectName:   	 geronimo.server:name=DirectoryService
> ClassName: 	org.apache.geronimo.directory.DirectoryGBean
> State: 	running
> Attributes
> Name 	Value
> anonymousAccess 	true
> configFile 	(null)
> enableNetworking 	true
> host 	0.0.0.0
> port 	1389
> providerURL 	ou=system
> securityAuthentication 	simple
> securityCredentials 	secret
> securityPrincipal 	uid=admin,ou=system
> workingDir 	(null)
> There's been talk of incorporating debug console into the admin console -- which i would support and would presumably address the problem... However, in the meantime, we may want/need to nail down the current debug console...

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira