On Wed, Sep 04, 2013 at 08:21:10PM +0200, Ove Ewerlid wrote: > On 09/04/2013 08:03 PM, Darren Shepherd wrote: > >On 09/04/2013 10:52 AM, Mathias Mullins wrote: > >>Hi Darren, > >> > >>It's a very commonly used port for many installations that want an > >>unauthenticated API access, especially from other tools and systems. I > >>think getting rid of this would be really bad idea. > >> > > > >Sigh, I just hate the "totally insecure by default" approach. Not to > >mention the code path for 8080 and 8096 is different. 8080 being > >servlet based and 8096 being httpcore based. > > > >Darren > > As Marcus pointed out, this is not there per default. Gotta love > "totally insecure per wise decision". > > Personally I use this to implement zero touch boot strapping and > automation of testing. The only command given via the Integration > port is setting up an admin user and generating keys. Once done, the > scripts continue using the key base approach. If there is a valid > key set stored away, key is tested and if valid, the integration > port is not used by the script for successive invocations. In our > implementations, the integration port is opened using direct DB > access and manipulation of the global parameter.
Yup, this is how marvin registers itself too and further on uses the keys to authenticate API calls over 8080. > > NB; if you create say a template via the integration port, that > template can not be deleted by even the admin user (have not checked > this for 4.2 but it is true for 4.1.1 and earlier). The integration > port uses a different user context (as you indicate). Hence, perhaps > only use the integration port to bootstrap an admin user. > > /Ove -- Prasanna., ------------------------ Powered by BigRock.com
