Re: Question about hashed passwords in seed data

Sun, 25 Jan 2009 15:22:28 -0800

I can understand the concerns about security but... since the passwords are loaded only by the seed-initial target (aka "ant run- install-extseed") I'd say that, if you run that task, it should be pretty clear what you are doing. A framework upgrade (aka "svn up framework" and "ant run-install- seed") will not be affected by this change. Actually, the "admin" user will be created (if not already there) but with empty password... hmmm, is it the concern about the security hole? Yes, this could be an issue, but only for existing db without admin user already defined. However I think we need to find a compromise so that it will be possible to log in into a framework only setup. Any suggestions? (maybe just adding a clear message in the ant output that explains what is happening when you run that task? 

Jacopo


On Jan 25, 2009, at 9:59 PM, Adrian Crum wrote:
I suggested having the admin user login and password in the framework. A couple of people responded that doing so would open up a security hole. I asked how a user would log into a new installation if there was no initial user login and password. The discussion stopped there. 

-Adrian
--- On Sun, 1/25/09, David E Jones <[email protected]> wrote: 


From: David E Jones <[email protected]>
Subject: Re: Question about hashed passwords in seed data
To: "[email protected]" <[email protected]>
Cc: "[email protected]" <[email protected]>
Date: Sunday, January 25, 2009, 12:42 PM
Maybe you understood incorrectly, if you are referring to
what I think you are.


-David


On Jan 25, 2009, at 13:01, Adrian Crum
<[email protected]> wrote:


--- On Sun, 1/25/09, Jacopo Cappellato

<[email protected]> wrote:

Also, I would like to move the UserLogin record

for the

"admin" and "system" UserLogin
(including the relevant entries in the
PasswordSecurityData.xml file) from the

securityext to the

security component, i.e. from the applications to

the

framework.

In this way we will be able to log in to the

webtools

application even if we are running a framework

only version

of OFBiz.


I suggested that some time ago and the reply was that

there were to be no user login IDs or passwords supplied
with the framework.


-Adrian

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to