Re: [jira] Commented: (GERONIMO-911) Admin Console should require SSL

Thu, 19 Oct 2006 15:04:44 -0700 

Can the console not use a different port/container from the base
settings?  Similar to the approach done in WebSphere.
This would signifcantly reduce the exposure and would not require to
default to HTTPS without proper infrastructure.

Heinz

On 10/19/06, Aaron Mulder (JIRA) <[email protected]> wrote:

    [ 
http://issues.apache.org/jira/browse/GERONIMO-911?page=comments#action_12443623 
]

Aaron Mulder commented on GERONIMO-911:
---------------------------------------

Not only that, but you get a different warning if the host name of the HTTPS server doesn't match 
the host name of the certificate.  Our only option would be to get a certificate for 
"localhost" and assume that the user wouldn't put the proper server hostname into the URL 
(e.g. https://localhost would work but https://my.server.com would not), but I suspect we'd have 
trouble getting a certificate issued for "localhost" since it would be so subject to 
abuse.

Bottom line, I don't think we can default to HTTPS.  But we can certainly 
provide a document or wizard to enable HTTPS (where you select a real keystore, 
enter passwords, etc.) and point you to the HTTPS URL for the console.  That 
would be the better way to go in my opinion.

> Admin Console should require SSL
> --------------------------------
>
>                 Key: GERONIMO-911
>                 URL: http://issues.apache.org/jira/browse/GERONIMO-911
>             Project: Geronimo
>          Issue Type: Improvement
>      Security Level: public(Regular issues)
>          Components: console
>    Affects Versions: 1.0-M5
>         Environment: all
>            Reporter: Donald Woods
>         Assigned To: Donald Woods
>            Priority: Trivial
>             Fix For: 1.x
>
>         Attachments: Geronimo-911.patch
>
>
> Admin Console login and Portlet access should require SSL to protect the 
system password and any connector/DB/LDAP configured passwords in the Portlets.
> I'm willing to create and post a patch for this, once I get a couple other 
items off my plate...  -Donald

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to