About the GUI feedback:
I added some warnings/infos to the welcome page of an administrator
1) Warning if the file masterpw.info exists (may contain the master
password in plain text)
2) Warning if the file user.properties.old exists (passwords are in plain
text)
3) Warning if the master password is "geoserver"
4) Warning if the admin password is geoserver
5) Warning if the default user group service does NOT use digest encoding
for passwords
6a) Warning if strong encryption is not available
6b) Info if strong encryption is available
In the worst case, an admin sees messages 1) - 6a).
In the best case the admin sees only message 6b)
Hope I did not forget another important message :-)
2012/8/14 Justin Deoliveira <jdeol...@opengeo.org>
> The approach sounds good to me. +1 Should be fairly straight forward to
> add the check to the main page that already warns about changing the master
> password.
>
>
> On Tue, Aug 14, 2012 at 7:12 AM, Christian Mueller <mcrmc...@gmail.com>wrote:
>
>> Good idea, some feedback on the GUI will not be a major problem. I am
>> waiting for JustinĀ“s opinion and hope to finish this issue this week.
>>
>>
>> 2012/8/14 Andrea Aime <andrea.a...@geo-solutions.it>
>>
>>> On Tue, Aug 14, 2012 at 10:35 AM, Christian Mueller
>>> <mcrmc...@gmail.com>wrote:
>>>
>>>> Please take a look at
>>>>
>>>> http://docs.geoserver.org/stable/en/user/installation/upgrade.html
>>>>
>>>> section "Obtaining a master password".
>>>>
>>>> This algorithm works for upgrading from versions < 2.2 and for fresh
>>>> installations of 2.2.x. Since we have no migrated security directory in
>>>> 2.2.x, a fresh installation will also trigger the security migration and
>>>> the result is always a randomly generated master password of 8 characters
>>>> stored in masterpw.info.
>>>>
>>>> For versions 2.3.x, fresh installations will use an already migrated
>>>> security directory. To be consistent, I would like to generate a random
>>>> master password of 8 chars and store it into masterpw.info.
>>>>
>>>> I dislike the idea of having a master password "geoserver". This
>>>> password should be reserved for the standard "admin" user.
>>>>
>>>> Hope my idea becomes clearer :-)
>>>
>>>
>>> Hmm... as an administrator I would not be happy about software
>>> generating a password on my back... but at the very least, if
>>> it does, it should tell the administrator it did so by providing some
>>> feedback in the UI until that file is removed
>>> (don't expect the admins to read the logs line by line)
>>>
>>> Cheers
>>> Andrea
>>>
>>> --
>>> ==
>>> Our support, Your Success! Visit http://opensdi.geo-solutions.it for
>>> more information.
>>> ==
>>>
>>> Ing. Andrea Aime
>>> @geowolf
>>> Technical Lead
>>>
>>> GeoSolutions S.A.S.
>>> Via Poggio alle Viti 1187
>>> 55054 Massarosa (LU)
>>> Italy
>>> phone: +39 0584 962313
>>> fax: +39 0584 962313
>>> mob: +39 339 8844549
>>>
>>> http://www.geo-solutions.it
>>> http://twitter.com/geosolutions_it
>>>
>>> -------------------------------------------------------
>>>
>>>
>>
>
>
> --
> Justin Deoliveira
> OpenGeo - http://opengeo.org
> Enterprise support for open source geospatial.
>
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
