Return-Path: Delivered-To: apmail-incubator-jackrabbit-dev-archive@www.apache.org Received: (qmail 99794 invoked from network); 16 Mar 2006 19:01:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 16 Mar 2006 19:01:14 -0000 Received: (qmail 90292 invoked by uid 500); 16 Mar 2006 19:01:09 -0000 Mailing-List: contact jackrabbit-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jackrabbit-dev@incubator.apache.org Delivered-To: mailing list jackrabbit-dev@incubator.apache.org Received: (qmail 90281 invoked by uid 99); 16 Mar 2006 19:01:09 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Mar 2006 11:01:09 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [192.87.106.226] (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Mar 2006 11:01:08 -0800 Received: from ajax (localhost.localdomain [127.0.0.1]) by ajax.apache.org (Postfix) with ESMTP id E70826ACA9 for ; Thu, 16 Mar 2006 19:00:47 +0000 (GMT) Message-ID: <429782416.1142535647940.JavaMail.jira@ajax> Date: Thu, 16 Mar 2006 19:00:47 +0000 (GMT) From: "Jukka Zitting (JIRA)" To: jackrabbit-dev@incubator.apache.org Subject: [jira] Resolved: (JCR-351) Default to anonymous access when no Credentials are given In-Reply-To: <1559483399.1142257539353.JavaMail.jira@ajax> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/JCR-351?page=all ] Jukka Zitting resolved JCR-351: ------------------------------- Fix Version: 1.0 Resolution: Fixed Patch committed in revision 386415. Merged in the 1.0 branch in revision 386416. > Default to anonymous access when no Credentials are given > --------------------------------------------------------- > > Key: JCR-351 > URL: http://issues.apache.org/jira/browse/JCR-351 > Project: Jackrabbit > Type: Improvement > Components: security > Versions: 0.9 > Reporter: Jukka Zitting > Assignee: Jukka Zitting > Priority: Minor > Fix For: 1.0 > Attachments: null-credentials.patch > > Even though JCR-348 made easier to start a Jackrabbit repository with default configuration, the user still needs to take care of the JAAS configuration. It would be more user-friendly to log a warning and default to superuser access rather than throwing a LoginException when JAAS has not been configured. This behaviour should be limited to only default credential logins (Session.login() with null Credentials) and it should be possible to disable it with a configuration option. We could even have this behaviour disabled by default, but enabled in the configuration file used with the JCR-348 automatic configuration. > This is a case against the "secure by default" design principle, but I think that in this case the benefits in easier setup outweight the security drawbacks, especially if coupled with the above restrictions and a clear documentation note about the insecure default. > [Update: As mentioned by Stefan, this is not a JAAS configuration issue but a problem in handling null Credentials. A more proper alternative for superuser access would be to default to anonymous access when credentials are not given.] -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira