Jetspeed 2
  1. Jetspeed 2
  2. JS2-1258

Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin user

    Details

      Description

      The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
      However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
      To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.

      To this end, the default/demo configuration will be changed to:

      a) Require demo admin user to change the password on first use (for all demo variants, some already have this but not yet all)

      b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet

      • no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
      • in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)

        Activity

        Ate Douma created issue -
        Ate Douma made changes -
        Field Original Value New Value
        Summary Secure default Jetspeed demo installer configuration requiring end user to provide admin passwords and choice of enabling the usage of the Tomcat manager Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin and manager role users
        Description The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
        However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
        To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.

        To this end, the Installer will be modified to:

        a) Require the installing user to specify a password for the Jetspeed Portal admin user

        b) Make enabling the usage of the Tomcat manager optional and disabled by default
        The Tomcat manager is needed by the Portlet Application Manager to start/stop/delete Portlet Applications.
        To enable the usage of the Tomcat manager, installing user is required to specify (both) the Tomcat user name and password to be granted the Tomcat "manager" role.
        If no username/password is provided, no Tomcat user will be enabled and thus usage of the Tomcat manager not possible.
        The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
        However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
        To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.

        To this end, the default/demo configuration will be changed to:

        a) Require admin/manager role users to change their password on first use
        To this end also only one user, admin, will be provided, the manager example user will be dropped from the demo seed data.

        b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet
        - no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
        - in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)
        Component/s Assembly/Configuration [ 11220 ]
        Component/s Deployment [ 11181 ]
        Component/s Security [ 11141 ]
        Ate Douma made changes -
        Description The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
        However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
        To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.

        To this end, the default/demo configuration will be changed to:

        a) Require admin/manager role users to change their password on first use
        To this end also only one user, admin, will be provided, the manager example user will be dropped from the demo seed data.

        b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet
        - no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
        - in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)
        The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
        However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
        To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.

        To this end, the default/demo configuration will be changed to:

        a) Require admin/manager role users to change their password on first use
        To this end also only one user, admin, will be provided having the admin and/or manager role; the example manager user will no longer have the manager role through the demo seed data.

        b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet
        - no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
        - in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)
        Ate Douma made changes -
        Description The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
        However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
        To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.

        To this end, the default/demo configuration will be changed to:

        a) Require admin/manager role users to change their password on first use
        To this end also only one user, admin, will be provided having the admin and/or manager role; the example manager user will no longer have the manager role through the demo seed data.

        b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet
        - no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
        - in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)
        The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
        However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
        To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.

        To this end, the default/demo configuration will be changed to:

        a) Require demo admin user to change the password on first use (for all demo variants, some already have this but not yet all)
        b) Access to the PortletApplicationManager j2-admin page will be further restricted to admin role user only (currently restricted to managers)

        b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet
        - no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
        - in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)
        Ate Douma made changes -
        Description The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
        However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
        To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.

        To this end, the default/demo configuration will be changed to:

        a) Require demo admin user to change the password on first use (for all demo variants, some already have this but not yet all)
        b) Access to the PortletApplicationManager j2-admin page will be further restricted to admin role user only (currently restricted to managers)

        b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet
        - no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
        - in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)
        The Jetspeed demo installer uses a convenient default username/password configuration which makes it easy for end-users to get started.
        However this also poses a potential security risk if some "type" of users would blindly install this in a public accessible way, without adjusting the default configuration.
        To protect such users from hurting themselves, we must force them to make this an explicit choice, and by default only provide a restricted (limited) configuration.

        To this end, the default/demo configuration will be changed to:

        a) Require demo admin user to change the password on first use (for all demo variants, some already have this but not yet all)

        b) By default disable usage of the Tomcat Manager through the PortletApplicationManagement portlet
        - no default Tomcat manager user will be pre-configured anymore in tomcat-user.xml (JetspeedInstaller)
        - in jetspeed.properties the example Tomcat Manager username/password will now by default empty (undefined)
        Ate Douma made changes -
        Summary Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin and manager role users Harden default/demo Jetspeed security configuration by disabling usage of the Tomcat Manager and force change password on demo admin user
        Ate Douma made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Ate Douma
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development