Jetspeed 2
  1. Jetspeed 2
  2. JS2-1258

Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin user

    Details

      Description

      The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
      However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
      To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.

      To this end, the default/demo configuration will be changed to:

      a) Require demo admin user to change the password on first use (for all demo variants, some already have this but not yet all)

      b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet

      • no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
      • in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            Unassigned
            Reporter:
            Ate Douma
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development