[jboss-dev-forums] [Design of Security on JBoss] - Re: AS 4.2.0 binding to localhost
mjc@redhat.com
do-not-reply at jboss.com
Mon Mar 5 15:09:53 EST 2007
"ryan.campbell at jboss.com" wrote : I'm skeptical that the existing approach will actually push users to read any documentation.
Binding to localhost does at least stop us being insecure by default and is something we do in Red Hat Enterprise Linux with servers such as sendmail.
However we've also discussed a better solution -- having HTTP Basic authentication turned on by default for any consoles, with no username and password configured. A user browsing the console for the first time (if they don't use the installer) would be prompted to log in and when failing to log in a custom "403 Authentication Required" response would be displayed and could point them at the documentation. Using the installer would by default give the user the ability to setup this user/password.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4025177#4025177
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4025177
More information about the jboss-dev-forums
mailing list