+1 to have the admin with the "ofbiz" default password in the framework (I suggest to put in the seed).
What other systems I have seen do is to always show a warning message until the admin password has been changed from the default. My two cents -Bruno 2009/1/26 Jacopo Cappellato <[email protected]> > I can understand the concerns about security but... since the passwords are > loaded only by the seed-initial target (aka "ant run-install-extseed") I'd > say that, if you run that task, it should be pretty clear what you are > doing. > A framework upgrade (aka "svn up framework" and "ant run-install-seed") > will not be affected by this change. > Actually, the "admin" user will be created (if not already there) but with > empty password... hmmm, is it the concern about the security hole? Yes, this > could be an issue, but only for existing db without admin user already > defined. > However I think we need to find a compromise so that it will be possible to > log in into a framework only setup. > Any suggestions? (maybe just adding a clear message in the ant output that > explains what is happening when you run that task? > > Jacopo > > > > On Jan 25, 2009, at 9:59 PM, Adrian Crum wrote: > > I suggested having the admin user login and password in the framework. A >> couple of people responded that doing so would open up a security hole. I >> asked how a user would log into a new installation if there was no initial >> user login and password. The discussion stopped there. >> >> -Adrian >> >> >> --- On Sun, 1/25/09, David E Jones <[email protected]> wrote: >> >> From: David E Jones <[email protected]> >>> Subject: Re: Question about hashed passwords in seed data >>> To: "[email protected]" <[email protected]> >>> Cc: "[email protected]" <[email protected]> >>> Date: Sunday, January 25, 2009, 12:42 PM >>> Maybe you understood incorrectly, if you are referring to >>> what I think you are. >>> >>> >>> -David >>> >>> >>> On Jan 25, 2009, at 13:01, Adrian Crum >>> <[email protected]> wrote: >>> >>> --- On Sun, 1/25/09, Jacopo Cappellato >>>> >>> <[email protected]> wrote: >>> >>>> Also, I would like to move the UserLogin record >>>>> >>>> for the >>> >>>> "admin" and "system" UserLogin >>>>> (including the relevant entries in the >>>>> PasswordSecurityData.xml file) from the >>>>> >>>> securityext to the >>> >>>> security component, i.e. from the applications to >>>>> >>>> the >>> >>>> framework. >>>>> >>>>> In this way we will be able to log in to the >>>>> >>>> webtools >>> >>>> application even if we are running a framework >>>>> >>>> only version >>> >>>> of OFBiz. >>>>> >>>> >>>> I suggested that some time ago and the reply was that >>>> >>> there were to be no user login IDs or passwords supplied >>> with the framework. >>> >>>> >>>> -Adrian >>>> >>>> >>>> >>>> >>>> >> >> >> >
