Mailing-List: contact jetspeed-dev-help@portals.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Jetspeed Developers List" <jetspeed-dev@portals.apache.org>
Date: Fri, 23 Sep 2011 11:04:26 +0000 (UTC)
From: "Ate Douma (JIRA)" <jetspeed-dev@portals.apache.org>
To: jetspeed-dev@portals.apache.org
Message-ID: 
 <2133871167.6050.1316775866197.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <479195049.2291.1316700866119.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Updated] (JS2-1258) Harden default/demo Jetspeed security
 configuration by disabling usage of the Tomcat Manager and force change
 password on demo admin and manager role users
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


     [ https://issues.apache.org/jira/browse/JS2-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ate Douma updated JS2-1258:
---------------------------

    Description: 
The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.

To this end, the default/demo configuration will be changed to:

a) Require admin/manager role users to change their password on first use
To this end also only one user, admin, will be provided having the admin and/or manager role; the example manager user will no longer have the manager role through the demo seed data. 

b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet
- no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
- in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)


  was:
The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.

To this end, the default/demo configuration will be changed to:

a) Require admin/manager role users to change their password on first use
To this end also only one user, admin, will be provided, the manager example user will be dropped from the demo seed data. 

b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet
- no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
- in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)


> Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin and manager role users 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: JS2-1258
>                 URL: https://issues.apache.org/jira/browse/JS2-1258
>             Project: Jetspeed 2
>          Issue Type: Improvement
>          Components: Assembly/Configuration, Deployment, Installer, Security
>    Affects Versions: 2.2.1
>            Reporter: Ate Douma
>             Fix For: 2.2.2
>
>
> The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
> However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
> To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.
> To this end, the default/demo configuration will be changed to:
> a) Require admin/manager role users to change their password on first use
> To this end also only one user, admin, will be provided having the admin and/or manager role; the example manager user will no longer have the manager role through the demo seed data. 
> b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet
> - no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
> - in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org