Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Duplicate
-
None
-
None
-
None
Description
The web console can use a Web Console Security Provider to handle the authorization of a request using an optional service. If this service is not present, the configuration 'user' and 'password' are used for the login (default admin/admin).
If the security provider service is used then this creates a window where the webconsole is unprotected when the provider bundle is not yet started or updated.
One solution is to set the user id to ':' since the Basic Authentication protocol can never pass a colon. However, this is a bit of a hack.
It would be nice if there was a flag (maybe a magic value for user?) where the request would be denied, optionally waiting maybe a second or so for the service to become available.
The ':' solves the direct problem. It is a nasty access point that makes systems vulnerable for attacks so it should at least be mentioned and best provided with mechanism.
Attachments
Issue Links
- duplicates
-
FELIX-6168 Enable WebConsole login only after specified Security Providers are present
- Closed