[jira] [Updated] (JS2-1258) Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin and manager role users

Ate Douma (JIRA) Fri, 23 Sep 2011 04:02:50 -0700

     [ 
https://issues.apache.org/jira/browse/JS2-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Ate Douma updated JS2-1258:
---------------------------

    Component/s: Security
                 Deployment
                 Assembly/Configuration
    Description: 
The Jetspeed demo installer uses a convenient default username/password 
configuration which makes it easy for end-users to get started.
However this also poses a potential security risk if some "type" of users would 
blindly install this in a public accessible way, without adjusting the default 
configuration.
To protect such users from hurting themselves, we must force them to make this 
an explicit choice, and by default only provide a restricted (limited) 
configuration.

To this end, the default/demo configuration will be changed to:

a) Require admin/manager role users to change their password on first use
To this end also only one user, admin, will be provided, the manager example 
user will be dropped from the demo seed data. 

b) By default disable usage of the Tomcat Manager through the 
PortletApplicationManagement portlet
- no default Tomcat manager user will be pre-configured anymore in 
tomcat-user.xml (JetspeedInstaller)
- in jetspeed.properties the example Tomcat Manager username/password will now 
by default empty (undefined)


  was:
The Jetspeed demo installer uses a convenient default username/password 
configuration which makes it easy for end-users to get started.
However this also poses a potential security risk if some "type" of users would 
blindly install this in a public accessible way, without adjusting the default 
configuration.
To protect such users from hurting themselves, we must force them to make this 
an explicit choice, and by default only provide a restricted (limited) 
configuration.

To this end, the Installer will be modified to:

a) Require the installing user to specify a password for the Jetspeed Portal 
admin user

b) Make enabling the usage of the Tomcat manager optional and disabled by 
default
The Tomcat manager is needed by the Portlet Application Manager to 
start/stop/delete Portlet Applications.
To enable the usage of the Tomcat manager, installing user is required to 
specify (both) the Tomcat user name and password to be granted the Tomcat 
"manager" role.
If no username/password is provided, no Tomcat user will be enabled and thus 
usage of the Tomcat manager not possible. 

        Summary: Harden default/demo Jetspeed security configuration by 
disabling usage of the Tomcat Manager and force change password on demo admin 
and manager role users   (was: Secure default Jetspeed demo installer 
configuration requiring end user to provide admin passwords and choice of 
enabling the usage of the Tomcat manager  )

> Harden default/demo Jetspeed security configuration by disabling usage of the 
> Tomcat Manager and force change password on demo admin and manager role users 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: JS2-1258
>                 URL: https://issues.apache.org/jira/browse/JS2-1258
>             Project: Jetspeed 2
>          Issue Type: Improvement
>          Components: Assembly/Configuration, Deployment, Installer, Security
>    Affects Versions: 2.2.1
>            Reporter: Ate Douma
>             Fix For: 2.2.2
>
>
> The Jetspeed demo installer uses a convenient default username/password 
> configuration which makes it easy for end-users to get started.
> However this also poses a potential security risk if some "type" of users 
> would blindly install this in a public accessible way, without adjusting the 
> default configuration.
> To protect such users from hurting themselves, we must force them to make 
> this an explicit choice, and by default only provide a restricted (limited) 
> configuration.
> To this end, the default/demo configuration will be changed to:
> a) Require admin/manager role users to change their password on first use
> To this end also only one user, admin, will be provided, the manager example 
> user will be dropped from the demo seed data. 
> b) By default disable usage of the Tomcat Manager through the 
> PortletApplicationManagement portlet
> - no default Tomcat manager user will be pre-configured anymore in 
> tomcat-user.xml (JetspeedInstaller)
> - in jetspeed.properties the example Tomcat Manager username/password will 
> now by default empty (undefined)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org
For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org

[jira] [Updated] (JS2-1258) Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin and manager role users

Reply via email to