[GitHub] incubator-brooklyn pull request: BROOKLYN-51

[aledsage]

Github user aledsage commented on a diff in the pull request:

    https://github.com/apache/incubator-brooklyn/pull/154#discussion_r17289211
  
    --- Diff: 
usage/launcher/src/main/java/brooklyn/launcher/BrooklynLauncher.java ---
    @@ -595,16 +597,18 @@ private void handleSubsystemStartupError(boolean 
ignoreSuchErrors, String system
         }
     
         protected void startWebApps() {
    -        if (BrooklynWebConfig.hasNoSecurityOptions(brooklynProperties)) {
    -            if (bindAddress==null) {
    -                LOG.info("Starting brooklyn web-console on loopback 
interface because no security config is set");
    -                bindAddress = Networking.LOOPBACK;
    -            }
    -            if (skipSecurityFilter==null) {
    -                LOG.debug("Starting brooklyn web-console without security 
because we are loopback and no security is set");
    -                skipSecurityFilter = true;
    -            }
    +        // No security options in properties and no command line options 
overriding.
    +        if (Boolean.TRUE.equals(skipSecurityFilter) && bindAddress == 
null) {
    +            LOG.info("Starting Brooklyn web-console on loopback because 
security is explicitly disabled and no bind address was given");
    +            bindAddress = Networking.LOOPBACK;
    +        } else if 
(BrooklynWebConfig.hasNoSecurityOptions(brooklynProperties) && bindAddress == 
null) {
    +            LOG.info("Starting Brooklyn web-console with passwordless 
access on localhost and protected access from other interfaces");
    +            bindAddress = Networking.ANY_NIC;
    +            brooklynProperties.put(
    +                    BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME,
    +                    
BrooklynUserWithRandomPasswordSecurityProvider.class.getName());
    --- End diff --
    
    I think this is right, but just wanted to raise question... with 
`ExplicitUsersSecurityProvider.authenticate` it will look up the 
users+passwords from brooklyn properties, so a properties-reload will affect 
subsequent authenticate attempts (but not existing sessions). However, if we've 
set it to use `BrooklynUserWithRandomPasswordSecurityProvider` then the 
properties-reload to add explicit users + passwords will have no affect. I 
think that's fine as we've logged to tell the person starting brooklyn, so they 
can restart if desired.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---