Hi, On Tue, Dec 10, 2013 at 5:40 AM, Carsten Ziegeler (JIRA) <[email protected]> wrote: > Carsten Ziegeler created SLING-3272: ... > The security provider 2 which uses Sling for authentication should only be > registered, if the startup is finished - > usually all content should be installed to properly render the login form, > therefore it makes sense to defer until > startup is finished...
IIUC this means the webconsole will potentially use different credentials during and after startup, isn't that a security issue? I imagine people will change the after startup password, but might leave default passwords for the authentication used during startup. I don't see how to avoid it but if I'm right this should at least be documented as a potential issue. -Bertrand
