Uploaded image for project: 'Felix'
  1. Felix
  2. FELIX-5774

Webconsole default security cannot be disabled

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Web Console
    • Labels:
      None

      Description

      The web console can use a Web Console Security Provider to handle the authorization of a request using an optional service. If this service is not present, the configuration 'user' and 'password' are used for the login (default admin/admin).

      If the security provider service is used then this creates a window where the webconsole is unprotected when the provider bundle is not yet started or updated. 

      One solution is to set the user id to ':' since the Basic Authentication protocol can never pass a colon. However, this is a bit of a hack.

      It would be nice if there was a flag (maybe a magic value for user?) where the request would be denied, optionally waiting maybe a second or so for the service to become available.

      The ':' solves the direct problem. It is a nasty access point that makes systems vulnerable for attacks so it should at least be mentioned and best provided with mechanism.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                pkriens Peter Kriens
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: