Re: [Hawkular-dev] Default user, or alternative realm file?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/11/2015 06:29 PM, Alexandre Mendonca wrote:
But, I think if the credentials are preset to admin/admin, needing
to be changed on first login (with whichever strength enforcement
we decide and keycloak supports) along with email address, it would
be safe. The only possibility of an attacker logging in with
default credentials would be for a never configured installation..
and for that, even the keycloak "master" realm is exposed to the
same risk.
Right, but it's a risk we don't need, as I see it only as a
convenience rather than a necessity.
Actually, thinking of it, the "master" realm situation is
dangerous, if a user never needs to login directly to it, he may
leave it in "unconfigured" state, where it can be accessed later by
an attacker.
So I vote for option 1. And we need to figure a solution for also
forcing the user to change the default admin/admin of "master"
realm.
Indeed, I'll create a JIRA for myself to look into it.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVAJZAAAoJECKM1e+fkPrXMeUH/iepqADxdFvGZcFM98+8p+x1
DvqkS4DTWO9uL3P9G7ph4AsR98YFfFhEZ39sZ+PNBLzY++t/Gk4onih3I26NvFhB
EpTwIbp6XfECBIhKBuGvijUxcXuPl01/55RjBhI3NySaW9T7UfqJSVCu/m33QgDj
Pc7xgUN9xn/f0ym22EUcg9jwZPgqs+HPZB+IBSVqhHubFYFDAaBnkT5AwWRsP47o
CTBkjT1gEtw2sYSZeI3V15MiLhjZt2/diKu/EUqwexQmhHcjRpbOG+vbWKJ7c9Ds
Llnv5RKpeb7ikMT0FivC2p80YrIXVU58poz7zF3cyivKTQJv1YqzV/XhGpcj9Pg=
=rDM9
-----END PGP SIGNATURE-----