Secure default Jetspeed demo installer configuration requiring end user to
provide admin passwords and choice of enabling the usage of the Tomcat manager
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Key: JS2-1258
URL: https://issues.apache.org/jira/browse/JS2-1258
Project: Jetspeed 2
Issue Type: Improvement
Components: Installer
Affects Versions: 2.2.1
Reporter: Ate Douma
Fix For: 2.2.2
The Jetspeed demo installer uses a convenient default username/password
configuration which makes it easy for end-users to get started.
However this also poses a potential security risk if some "type" of users would
blindly install this in a public accessible way, without adjusting the default
configuration.
To protect such users from hurting themselves, we must force them to make this
an explicit choice, and by default only provide a restricted (limited)
configuration.
To this end, the Installer will be modified to:
a) Require the installing user to specify a password for the Jetspeed Portal
admin user
b) Make enabling the usage of the Tomcat manager optional and disabled by
default
The Tomcat manager is needed by the Portlet Application Manager to
start/stop/delete Portlet Applications.
To enable the usage of the Tomcat manager, installing user is required to
specify (both) the Tomcat user name and password to be granted the Tomcat
"manager" role.
If no username/password is provided, no Tomcat user will be enabled and thus
usage of the Tomcat manager not possible.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
