geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevan Miller (JIRA)" <...@geronimo.apache.org>
Subject [jira] Created: (GERONIMO-1394) JMX Debug Console should require admin-level authentication
Date Mon, 19 Dec 2005 22:10:30 GMT
JMX Debug Console should require admin-level authentication
-----------------------------------------------------------

         Key: GERONIMO-1394
         URL: http://issues.apache.org/jira/browse/GERONIMO-1394
     Project: Geronimo
        Type: Bug
  Components: management  
    Versions: 1.0    
 Environment: 1.0 RC
    Reporter: Kevan Miller
     Fix For: 1.1


The debug console does not require user authentication. Since MBean attributes can provide
configuration and security information about a server that should not be public knowledge,
by default, the debug console should require admin-level authentication. 

I didn't see anything too sensitive in my sampling of MBean attributes... Whoops, I spoke
too soon. Here are the attributes for the DirectoryService (note the credentials attribute)...

ObjectName:   	 geronimo.server:name=DirectoryService
ClassName: 	org.apache.geronimo.directory.DirectoryGBean
State: 	running
Attributes
Name 	Value
anonymousAccess 	true
configFile 	(null)
enableNetworking 	true
host 	0.0.0.0
port 	1389
providerURL 	ou=system
securityAuthentication 	simple
securityCredentials 	secret
securityPrincipal 	uid=admin,ou=system
workingDir 	(null)

There's been talk of incorporating debug console into the admin console -- which i would support
and would presumably address the problem... However, in the meantime, we may want/need to
nail down the current debug console...

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message