Admin Password.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Admin Password.

Ian Boston
Hi,
When looking at some problems I have been having with pooled sessions and administrative logins I noticed the following.

The Admin password for the repository is set in the properties of the server bundle. Its required to create the repository in the first instance, and then is used for every admin login. I have some concerns.

1. Since the webconsole pulgins can get properties for all bundles, then it must be possible for any bundle to get the configuration properties of the server bundle and hence the admin password. I haven't tried, but would it be possible to use a JSP page to get the admin password ? Although we trust the code in the JVM, that feels wrong.

2. Changing the admin password requires that all JVM instances are reconfigured at the same time, although once the password is changed all loginAdministrative operations break until the server bundle is reconfigured.


IMHO, it would be better to use special credentials to identify the administrative logins bound to the admin user.

eg
public final class AdministrativeCredentials implements Credentials { ... }

public final class GuestCredentials implements Credentials { ... }

both private to the server bundle and only use by the SlingRepository impl.

WDYT ?

Ian

Reply | Threaded
Open this post in threaded view
|

Re: Admin Password.

Felix Meschberger-2
Hi,

On 09.01.2010 11:44, Ian Boston wrote:
> Hi,
> When looking at some problems I have been having with pooled sessions and administrative logins I noticed the following.
>
> The Admin password for the repository is set in the properties of the server bundle. Its required to create the repository in the first instance, and then is used for every admin login. I have some concerns.
>
> 1. Since the webconsole pulgins can get properties for all bundles, then it must be possible for any bundle to get the configuration properties of the server bundle and hence the admin password. I haven't tried, but would it be possible to use a JSP page to get the admin password ? Although we trust the code in the JVM, that feels wrong.

Yes, this is possible (at least to steal the password).

To just log into the repository as an administrator the JSP may also
grab the SlingRepository service ...

>
> 2. Changing the admin password requires that all JVM instances are reconfigured at the same time, although once the password is changed all loginAdministrative operations break until the server bundle is reconfigured.

Yes.

>
>
> IMHO, it would be better to use special credentials to identify the administrative logins bound to the admin user.
>
> eg
> public final class AdministrativeCredentials implements Credentials { ... }
>
> public final class GuestCredentials implements Credentials { ... }
>
> both private to the server bundle and only use by the SlingRepository impl.
>
> WDYT ?

+1

Very good idea, indeed. Makes perfect sense.

Regards
Felix

>
> Ian
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Admin Password.

Ian Boston

On 10 Jan 2010, at 09:41, Felix Meschberger wrote:

>>
>>
>> IMHO, it would be better to use special credentials to identify the administrative logins bound to the admin user.
>>
>> eg
>> public final class AdministrativeCredentials implements Credentials { ... }
>>
>> public final class GuestCredentials implements Credentials { ... }
>>
>> both private to the server bundle and only use by the SlingRepository impl.
>>
>> WDYT ?
>
> +1
>
> Very good idea, indeed. Makes perfect sense.
>
> Regards
> Felix


Ok, I will jira, work up a patch and share in the next week or so.
Ian