[
https://issues.apache.org/jira/browse/FELIX-5774?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carsten Ziegeler resolved FELIX-5774.
-------------------------------------
Resolution: Duplicate
> Webconsole default security cannot be disabled
> ----------------------------------------------
>
> Key: FELIX-5774
> URL: https://issues.apache.org/jira/browse/FELIX-5774
> Project: Felix
> Issue Type: Bug
> Components: Web Console
> Reporter: Peter Kriens
> Priority: Minor
>
> The web console can use a Web Console Security Provider to handle the
> authorization of a request using an optional service. If this service is not
> present, the configuration 'user' and 'password' are used for the login
> (default admin/admin).
> If the security provider service is used then this creates a window where the
> webconsole is unprotected when the provider bundle is not yet started or
> updated.
> One solution is to set the user id to ':' since the Basic Authentication
> protocol can never pass a colon. However, this is a bit of a hack.
> It would be nice if there was a flag (maybe a magic value for user?) where
> the request would be denied, optionally waiting maybe a second or so for the
> service to become available.
> The ':' solves the direct problem. It is a nasty access point that makes
> systems vulnerable for attacks so it should at least be mentioned and best
> provided with mechanism.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
