[magnolia-dev] [JIRA] Created: (MAGNOLIA-4439) Activation key does not get created when it does not exist

[JIRA (on behalf of Edgar Vonk)]

Activation key does not get created when it does not exist
----------------------------------------------------------

                 Key: MAGNOLIA-4439
                 URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-4439
             Project: Magnolia
          Issue Type: Bug
      Security Level: Public
          Components: activation
    Affects Versions: 4.5.3
            Reporter: Edgar Vonk
            Assignee: Philipp Bärfuss


It seems the private activation key no longer gets created on first activation 
when it does not exist.

In our Magnolia web app we do not have an activation key by default. When we 
try to activate content the first time (the subscriber is configured correctly 
and running) this fails with the error 'Private key store doesn't exist at..'

It is easily reproduced in the Magnolia 4.5.3 EE distribution if you first 
remove the magnolia-activation-keypair.properties file from the 
magnoliaAuthor/WEB-INF/config/default dir, start up Magnolia (the author 
instance) and attempt to activate content.

In the log:
{code}
Caused by: java.lang.SecurityException: Private key store doesn't exist at 
[/Users/edgar/Downloads/magnolia-enterprise-4.5.3/apache-tomcat-6.0.32/webapps/magnoliaAuthor/WEB-INF/config/default/magnolia-activation-keypair.properties].
 Please, ensure that [magnolia.author.key.location] actually points to the 
correct location
        at 
info.magnolia.cms.security.SecurityUtil.checkPrivateKeyStoreExistence(SecurityUtil.java:367)
{code}

I guess the workaround is to generate an activation key and store that manually 
on the filesystem or use the one provided in the Magnolia EE distribution?

PS: this mechanism is introduced for security reasons right? If so, why does 
Magnolia distribute the key in it's Magnolia EE distributions? With default 
Magnolia installations the very same key is now used all over the world. So 
much for security.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       


----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com>
----------------------------------------------------------------