-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not sure it is worth the effort but why not have a framworkadmin login. it would have the permission only for the framework.
Jacopo Cappellato sent the following on 1/25/2009 3:21 PM: > I can understand the concerns about security but... since the passwords > are loaded only by the seed-initial target (aka "ant > run-install-extseed") I'd say that, if you run that task, it should be > pretty clear what you are doing. > A framework upgrade (aka "svn up framework" and "ant run-install-seed") > will not be affected by this change. > Actually, the "admin" user will be created (if not already there) but > with empty password... hmmm, is it the concern about the security hole? > Yes, this could be an issue, but only for existing db without admin user > already defined. > However I think we need to find a compromise so that it will be possible > to log in into a framework only setup. > Any suggestions? (maybe just adding a clear message in the ant output > that explains what is happening when you run that task? > > Jacopo > > > On Jan 25, 2009, at 9:59 PM, Adrian Crum wrote: > >> I suggested having the admin user login and password in the framework. >> A couple of people responded that doing so would open up a security >> hole. I asked how a user would log into a new installation if there >> was no initial user login and password. The discussion stopped there. >> >> -Adrian >> >> >> --- On Sun, 1/25/09, David E Jones <[email protected]> wrote: >> >>> From: David E Jones <[email protected]> >>> Subject: Re: Question about hashed passwords in seed data >>> To: "[email protected]" <[email protected]> >>> Cc: "[email protected]" <[email protected]> >>> Date: Sunday, January 25, 2009, 12:42 PM >>> Maybe you understood incorrectly, if you are referring to >>> what I think you are. >>> >>> >>> -David >>> >>> >>> On Jan 25, 2009, at 13:01, Adrian Crum >>> <[email protected]> wrote: >>> >>>> --- On Sun, 1/25/09, Jacopo Cappellato >>> <[email protected]> wrote: >>>>> Also, I would like to move the UserLogin record >>> for the >>>>> "admin" and "system" UserLogin >>>>> (including the relevant entries in the >>>>> PasswordSecurityData.xml file) from the >>> securityext to the >>>>> security component, i.e. from the applications to >>> the >>>>> framework. >>>>> >>>>> In this way we will be able to log in to the >>> webtools >>>>> application even if we are running a framework >>> only version >>>>> of OFBiz. >>>> >>>> I suggested that some time ago and the reply was that >>> there were to be no user login IDs or passwords supplied >>> with the framework. >>>> >>>> -Adrian >>>> >>>> >>>> >>>> >> >> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJfQvNrP3NbaWWqE4RAutxAJ901+/ZKhcIay1cz6H827s/P0DrUQCfQmJR YsjI5NxW/TZ6tlFhU+mnN4c= =EkBq -----END PGP SIGNATURE-----
