On 09/04/2013 08:03 PM, Darren Shepherd wrote:
On 09/04/2013 10:52 AM, Mathias Mullins wrote:
Hi Darren,
It's a very commonly used port for many installations that want an
unauthenticated API access, especially from other tools and systems. I
think getting rid of this would be really bad idea.
Sigh, I just hate the "totally insecure by default" approach. Not to
mention the code path for 8080 and 8096 is different. 8080 being
servlet based and 8096 being httpcore based.
Darren
As Marcus pointed out, this is not there per default. Gotta love
"totally insecure per wise decision".
Personally I use this to implement zero touch boot strapping and
automation of testing. The only command given via the Integration port
is setting up an admin user and generating keys. Once done, the scripts
continue using the key base approach. If there is a valid key set stored
away, key is tested and if valid, the integration port is not used by
the script for successive invocations. In our implementations, the
integration port is opened using direct DB access and manipulation of
the global parameter.
NB; if you create say a template via the integration port, that template
can not be deleted by even the admin user (have not checked this for 4.2
but it is true for 4.1.1 and earlier). The integration port uses a
different user context (as you indicate). Hence, perhaps only use the
integration port to bootstrap an admin user.
/Ove
