[ http://issues.apache.org/jira/browse/GERONIMO-1394?page=all ]
Kevan Miller closed GERONIMO-1394.
----------------------------------
Resolution: Won't Fix
There isn't a debug console any longer...
> JMX Debug Console should require admin-level authentication
> -----------------------------------------------------------
>
> Key: GERONIMO-1394
> URL: http://issues.apache.org/jira/browse/GERONIMO-1394
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: management
> Affects Versions: 1.0
> Environment: 1.0 RC
> Reporter: Kevan Miller
> Fix For: Wish List
>
>
> The debug console does not require user authentication. Since MBean
> attributes can provide configuration and security information about a server
> that should not be public knowledge, by default, the debug console should
> require admin-level authentication.
> I didn't see anything too sensitive in my sampling of MBean attributes...
> Whoops, I spoke too soon. Here are the attributes for the DirectoryService
> (note the credentials attribute)...
> ObjectName: geronimo.server:name=DirectoryService
> ClassName: org.apache.geronimo.directory.DirectoryGBean
> State: running
> Attributes
> Name Value
> anonymousAccess true
> configFile (null)
> enableNetworking true
> host 0.0.0.0
> port 1389
> providerURL ou=system
> securityAuthentication simple
> securityCredentials secret
> securityPrincipal uid=admin,ou=system
> workingDir (null)
> There's been talk of incorporating debug console into the admin console --
> which i would support and would presumably address the problem... However, in
> the meantime, we may want/need to nail down the current debug console...
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
