You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Jukka Zitting (JIRA)" <ji...@apache.org> on 2009/01/08 14:10:59 UTC

[jira] Created: (JCR-1927) More secure default installation

More secure default installation
--------------------------------

                 Key: JCR-1927
                 URL: https://issues.apache.org/jira/browse/JCR-1927
             Project: Jackrabbit
          Issue Type: Improvement
          Components: jackrabbit-core
            Reporter: Jukka Zitting


Currently the default installation of Jackrabbit grants login, read and write access to any username and password combination. It might be a good idea to require explicit user accounts and access rights to be configured during installation.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Re: [jira] Resolved: (JCR-1927) More secure default installation

Posted by simer anand <si...@gmail.com>.

>
>
> >
> > Currently the default installation of Jackrabbit grants login, read and
> write access to any username and password combination. It might be a good
> idea to require explicit user accounts and access rights to be configured
> during installation.



That would be great. Good idea.

--
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>

[jira] Reopened: (JCR-1927) More secure default installation

Posted by "angela (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JCR-1927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

angela reopened JCR-1927:
-------------------------


just realized that we still have plenty of repository.xml(s) using the simple-security config.
only the one i'm using for the tests has the *real* stuff in *arrrgh*.

reopening.
i'd say we should/could address this for the 2.0 release as it shouldn't cause too many problems, should it?

> More secure default installation
> --------------------------------
>
>                 Key: JCR-1927
>                 URL: https://issues.apache.org/jira/browse/JCR-1927
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core
>            Reporter: Jukka Zitting
>             Fix For: 2.0.0
>
>
> Currently the default installation of Jackrabbit grants login, read and write access to any username and password combination. It might be a good idea to require explicit user accounts and access rights to be configured during installation.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (JCR-1927) More secure default installation

Posted by "angela (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JCR-1927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

angela resolved JCR-1927.
-------------------------

       Resolution: Fixed
    Fix Version/s: 2.0.0

i'd say this is no longer the case in the trunk. the simple-access stuff isn't used in the
default repository.xml in the core.

> More secure default installation
> --------------------------------
>
>                 Key: JCR-1927
>                 URL: https://issues.apache.org/jira/browse/JCR-1927
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core
>            Reporter: Jukka Zitting
>             Fix For: 2.0.0
>
>
> Currently the default installation of Jackrabbit grants login, read and write access to any username and password combination. It might be a good idea to require explicit user accounts and access rights to be configured during installation.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JCR-1927) More secure default installation

Posted by "Thomas Mueller (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/JCR-1927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12661969#action_12661969 ] 

Thomas Mueller commented on JCR-1927:
-------------------------------------

This is similar to Apache Derby where user name and password are ignored by default. Other Java databases work differently:

HSQLDB uses a fixed user name (sa) and password (empty) until you change it.

In the H2 database, only the name and password of the user that created the database is allowed by default.


> More secure default installation
> --------------------------------
>
>                 Key: JCR-1927
>                 URL: https://issues.apache.org/jira/browse/JCR-1927
>             Project: Jackrabbit
>          Issue Type: Improvement
>          Components: jackrabbit-core
>            Reporter: Jukka Zitting
>
> Currently the default installation of Jackrabbit grants login, read and write access to any username and password combination. It might be a good idea to require explicit user accounts and access rights to be configured during installation.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (JCR-1927) More secure default installation

Posted by "Jukka Zitting (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JCR-1927?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jukka Zitting updated JCR-1927:
-------------------------------

    Fix Version/s:     (was: 2.0.0)

Unscheduling from 2.0, as we can do this also for a later release.

> More secure default installation
> --------------------------------
>
>                 Key: JCR-1927
>                 URL: https://issues.apache.org/jira/browse/JCR-1927
>             Project: Jackrabbit Content Repository
>          Issue Type: Improvement
>          Components: jackrabbit-core
>            Reporter: Jukka Zitting
>
> Currently the default installation of Jackrabbit grants login, read and write access to any username and password combination. It might be a good idea to require explicit user accounts and access rights to be configured during installation.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (JCR-1927) More secure default installation

Posted by "angela (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/JCR-1927?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12661964#action_12661964 ] 

angela commented on JCR-1927:
-----------------------------

we can simply switch from the simple-security setup to the default that requires registered users.
i just didn't want to do so during early development stages of the security implementation.

> More secure default installation
> --------------------------------
>
>                 Key: JCR-1927
>                 URL: https://issues.apache.org/jira/browse/JCR-1927
>             Project: Jackrabbit
>          Issue Type: Improvement
>          Components: jackrabbit-core
>            Reporter: Jukka Zitting
>
> Currently the default installation of Jackrabbit grants login, read and write access to any username and password combination. It might be a good idea to require explicit user accounts and access rights to be configured during installation.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.