[ https://issues.apache.org/jira/browse/FELIX-5774?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler resolved FELIX-5774. ------------------------------------- Resolution: Duplicate > Webconsole default security cannot be disabled > ---------------------------------------------- > > Key: FELIX-5774 > URL: https://issues.apache.org/jira/browse/FELIX-5774 > Project: Felix > Issue Type: Bug > Components: Web Console > Reporter: Peter Kriens > Priority: Minor > > The web console can use a Web Console Security Provider to handle the > authorization of a request using an optional service. If this service is not > present, the configuration 'user' and 'password' are used for the login > (default admin/admin). > If the security provider service is used then this creates a window where the > webconsole is unprotected when the provider bundle is not yet started or > updated. > One solution is to set the user id to ':' since the Basic Authentication > protocol can never pass a colon. However, this is a bit of a hack. > It would be nice if there was a flag (maybe a magic value for user?) where > the request would be denied, optionally waiting maybe a second or so for the > service to become available. > The ':' solves the direct problem. It is a nasty access point that makes > systems vulnerable for attacks so it should at least be mentioned and best > provided with mechanism. -- This message was sent by Atlassian JIRA (v7.6.14#76016)