This has always been the case: as long as the repo is not available, the user/pw configured with the web console is used, once the repo is there, repo auth is used This is still the case - the new security provider 2 which is using the sling login but also the repo for auth, is the one which is installed after startup is finished - but that does not change the credentials:
So today the order is 1. configured user/pw 2. repo ready: repo but basic auth 3. startup finish: repo with sling login Before it was just 1. and 2. Carsten 2013/12/10 Bertrand Delacretaz <[email protected]> > Hi, > > On Tue, Dec 10, 2013 at 5:40 AM, Carsten Ziegeler (JIRA) > <[email protected]> wrote: > > Carsten Ziegeler created SLING-3272: > ... > > The security provider 2 which uses Sling for authentication should only > be registered, if the startup is finished - > > usually all content should be installed to properly render the login > form, therefore it makes sense to defer until > > startup is finished... > > IIUC this means the webconsole will potentially use different > credentials during and after startup, isn't that a security issue? > > I imagine people will change the after startup password, but might > leave default passwords for the authentication used during startup. > > I don't see how to avoid it but if I'm right this should at least be > documented as a potential issue. > > -Bertrand > -- Carsten Ziegeler [email protected]
