[ http://issues.apache.org/jira/browse/GERONIMO-911?page=comments#action_12443623 ] Aaron Mulder commented on GERONIMO-911: ---------------------------------------
Not only that, but you get a different warning if the host name of the HTTPS server doesn't match the host name of the certificate. Our only option would be to get a certificate for "localhost" and assume that the user wouldn't put the proper server hostname into the URL (e.g. https://localhost would work but https://my.server.com would not), but I suspect we'd have trouble getting a certificate issued for "localhost" since it would be so subject to abuse. Bottom line, I don't think we can default to HTTPS. But we can certainly provide a document or wizard to enable HTTPS (where you select a real keystore, enter passwords, etc.) and point you to the HTTPS URL for the console. That would be the better way to go in my opinion. > Admin Console should require SSL > -------------------------------- > > Key: GERONIMO-911 > URL: http://issues.apache.org/jira/browse/GERONIMO-911 > Project: Geronimo > Issue Type: Improvement > Security Level: public(Regular issues) > Components: console > Affects Versions: 1.0-M5 > Environment: all > Reporter: Donald Woods > Assigned To: Donald Woods > Priority: Trivial > Fix For: 1.x > > Attachments: Geronimo-911.patch > > > Admin Console login and Portlet access should require SSL to protect the > system password and any connector/DB/LDAP configured passwords in the > Portlets. > I'm willing to create and post a patch for this, once I get a couple other > items off my plate... -Donald -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
