Ship with FTP disabled, and when an admin enables it, have some sort of account creation wizard enforcing best practices?
Thanks, Mike Pumphrey OpenGeo - http://opengeo.org On 6/1/2010 11:05 AM, Andrea Aime wrote: > Arne Kepp ha scritto: >> I like the idea, and I think FTP is probably the way to go given >> Microsofts propensity to break WebDAV. >> >> But by default GeoServer ships with a small security problem in the >> sense that the admin password is universally known. I prefer Tomcat's >> approach in which no account enabled by default, but this has not been a >> big issue up to this point. >> >> But if we include an FTP server then GeoServer suddenly becomes a >> valuable target for people who want to distribute illegal materials. >> >> I therefore suggest that it should not be possible to login with the >> standard credentials, and if possible tell the FTP client the reason for >> the rejection in the Access Denied response. > > Sigh, unfortunately it does not seem possible to control the access > denied response. > This might be a source of some confusion as people are not notified > of why the thing is failing. > > We can still address this by documentation, or just allow logins > by prominently report the issue in the logs... > > Suggestions? > > Cheers > Andrea > > ------------------------------------------------------------------------------ _______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
