Can the console not use a different port/container from the base settings? Similar to the approach done in WebSphere. This would signifcantly reduce the exposure and would not require to default to HTTPS without proper infrastructure.
Heinz On 10/19/06, Aaron Mulder (JIRA) <dev@geronimo.apache.org> wrote:
[ http://issues.apache.org/jira/browse/GERONIMO-911?page=comments#action_12443623 ] Aaron Mulder commented on GERONIMO-911: --------------------------------------- Not only that, but you get a different warning if the host name of the HTTPS server doesn't match the host name of the certificate. Our only option would be to get a certificate for "localhost" and assume that the user wouldn't put the proper server hostname into the URL (e.g. https://localhost would work but https://my.server.com would not), but I suspect we'd have trouble getting a certificate issued for "localhost" since it would be so subject to abuse. Bottom line, I don't think we can default to HTTPS. But we can certainly provide a document or wizard to enable HTTPS (where you select a real keystore, enter passwords, etc.) and point you to the HTTPS URL for the console. That would be the better way to go in my opinion. > Admin Console should require SSL > -------------------------------- > > Key: GERONIMO-911 > URL: http://issues.apache.org/jira/browse/GERONIMO-911 > Project: Geronimo > Issue Type: Improvement > Security Level: public(Regular issues) > Components: console > Affects Versions: 1.0-M5 > Environment: all > Reporter: Donald Woods > Assigned To: Donald Woods > Priority: Trivial > Fix For: 1.x > > Attachments: Geronimo-911.patch > > > Admin Console login and Portlet access should require SSL to protect the system password and any connector/DB/LDAP configured passwords in the Portlets. > I'm willing to create and post a patch for this, once I get a couple other items off my plate... -Donald -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira