Author: thomas.heute(a)jboss.com Date: 2010-12-09 09:49:24 -0500 (Thu, 09 Dec 2010) New Revision: 5528 Modified: epp/docs/branches/EPP_5_1_Branch/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml Log: JBEPP-719: Add a note about disabling the remember-me feature Modified: epp/docs/branches/EPP_5_1_Branch/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml =================================================================== --- epp/docs/branches/EPP_5_1_Branch/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml 2010-12-09 14:42:02 UTC (rev 5527) +++ epp/docs/branches/EPP_5_1_Branch/Reference_Guide/en-US/modules/AuthenticationAndIdentity/AuthenticationTokenConfiguration.xml 2010-12-09 14:49:24 UTC (rev 5528) @@ -16,6 +16,10 @@ <para> The token service allows administrators to create, delete, retrieve and clean tokens as required. The service also defines a validity period of any given token. The token becomes invalid once this period expires. </para> + <warning> + <title>Username and passwords stored in clear</title> + <para>The remember-me feature is using the token mechanism to be able to authenticate the user on his behalf. To be able to authenticate, the token needs to store the username and password in clear text in the JCR. The remember-me feature can simply be disabled by removing the corresponding checkbox in: <filename><replaceable>JBOSS_HOME</replaceable>/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/02portal.war/login/jsp/login.jsp</filename> and <filename><replaceable>JBOSS_HOME</replaceable>/server/<replaceable>PROFILE</replaceable>/deploy/gatein.ear/02portal.war/groovy/portal/webui/UILoginForm.gtmpl</filename></para> + </warning> </section>