[gatein-commits] gatein SVN: r5528 - epp/docs/branches/EPP_5_1_Branch/Reference_Guide/en-US/modules/AuthenticationAndIdentity.

[do-not-reply at jboss.org]

Author: thomas.heute at jboss.com
Date: 2010-12-09 09:49:24 -0500 (Thu, 09 Dec 2010)
New Revision: 5528

Modified:
   epp/docs/branches/EPP_5_1_Branch/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml
Log:
JBEPP-719: Add a note about disabling the remember-me feature


Modified: epp/docs/branches/EPP_5_1_Branch/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml
===================================================================
--- epp/docs/branches/EPP_5_1_Branch/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml	2010-12-09 14:42:02 UTC (rev 5527)
+++ epp/docs/branches/EPP_5_1_Branch/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml	2010-12-09 14:49:24 UTC (rev 5528)
@@ -16,6 +16,10 @@
 		<para>
 			The token service allows administrators to create, delete, retrieve and clean tokens as required. The service also defines a validity period of any given token. The token becomes invalid once this period expires.
 		</para>
+		<warning>
+			<title>Username and passwords stored in clear</title>
+			<para>The remember-me feature is using the token mechanism to be able to authenticate the user on his behalf. To be able to authenticate, the token needs to store the username and password in clear text in the JCR. The remember-me feature can simply be disabled by removing the corresponding checkbox in: <filename><replaceable>JBOSS_HOME</replaceable>/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/02portal.war/login/jsp/login.jsp</filename> and <filename><replaceable>JBOSS_HOME</replaceable>/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/02portal.war/groovy/portal/webui/UILoginForm.gtmpl</filename></para>
+                </warning>
 	</section>