geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Heinz Drews" <heinz.dr...@gmail.com>
Subject Re: [jira] Commented: (GERONIMO-911) Admin Console should require SSL
Date Thu, 19 Oct 2006 22:04:19 GMT
Can the console not use a different port/container from the base
settings?  Similar to the approach done in WebSphere.
This would signifcantly reduce the exposure and would not require to
default to HTTPS without proper infrastructure.

Heinz

On 10/19/06, Aaron Mulder (JIRA) <dev@geronimo.apache.org> wrote:
>     [ http://issues.apache.org/jira/browse/GERONIMO-911?page=comments#action_12443623
]
>
> Aaron Mulder commented on GERONIMO-911:
> ---------------------------------------
>
> Not only that, but you get a different warning if the host name of the HTTPS server doesn't
match the host name of the certificate.  Our only option would be to get a certificate for
"localhost" and assume that the user wouldn't put the proper server hostname into the URL
(e.g. https://localhost would work but https://my.server.com would not), but I suspect we'd
have trouble getting a certificate issued for "localhost" since it would be so subject to
abuse.
>
> Bottom line, I don't think we can default to HTTPS.  But we can certainly provide a document
or wizard to enable HTTPS (where you select a real keystore, enter passwords, etc.) and point
you to the HTTPS URL for the console.  That would be the better way to go in my opinion.
>
> > Admin Console should require SSL
> > --------------------------------
> >
> >                 Key: GERONIMO-911
> >                 URL: http://issues.apache.org/jira/browse/GERONIMO-911
> >             Project: Geronimo
> >          Issue Type: Improvement
> >      Security Level: public(Regular issues)
> >          Components: console
> >    Affects Versions: 1.0-M5
> >         Environment: all
> >            Reporter: Donald Woods
> >         Assigned To: Donald Woods
> >            Priority: Trivial
> >             Fix For: 1.x
> >
> >         Attachments: Geronimo-911.patch
> >
> >
> > Admin Console login and Portlet access should require SSL to protect the system
password and any connector/DB/LDAP configured passwords in the Portlets.
> > I'm willing to create and post a patch for this, once I get a couple other items
off my plate...  -Donald
>
> --
> This message is automatically generated by JIRA.
> -
> If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
> -
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>
>
>

Mime
View raw message