I got some additional input from Ian. To summarize:
1) Check for a user called admin and use this password as master password
candidate. If the password is "geoserver" continue with 3), otherwise write
a corresponding message to the log file and stop.
2) If there is no user called admin, check for a user having
ROLE_ADMINISTRATOR and use this password as a candidate. If the password is
"geoserver", continue with 3) otherwise write a corresponding message to
the log file and stop.
3) Generate a password with 8 characters. Store the password in a file
masterpw.generated and write a message to the log file.
This would assure that the migration never results in a master password
"geoserver". If we want to go this way, I would not check in a migrated
security directory. Each geoserver installation should have its individual
master password.
Opinions ?
2012/8/7 Justin Deoliveira <jdeol...@opengeo.org>
>
>
> On Tue, Aug 7, 2012 at 7:49 AM, Andrea Aime
> <andrea.a...@geo-solutions.it>wrote:
>
>> On Tue, Aug 7, 2012 at 3:36 PM, Christian Mueller <mcrmc...@gmail.com>wrote:
>>
>>> Now I am unsure, should I prepare a migrated security directory for
>>> 2.2.x and 2.3.x or not ????
>>
>>
>> I would put it on 2.3.x, and backport once we are satisfied the automatic
>> upgrade
>> is doing the right thing
>>
>>
> Christian. To clarify we are not changing this to mitigate the root
> account security hole, the plan is to make the root account password the
> same as the admin account password. Falling back on a random password
> (saved out in plain text) if the admin account does not exist.
>
> I wanted to hear from you on your thoughts about this?
>
> As for the data directory change i would actually just leave it as is for
> now. But no strong objection to changing it on master.
>
> Cheers
>> Andrea
>>
>>
>> --
>> ==
>> Our support, Your Success! Visit http://opensdi.geo-solutions.it for
>> more information.
>> ==
>>
>> Ing. Andrea Aime
>> @geowolf
>> Technical Lead
>>
>> GeoSolutions S.A.S.
>> Via Poggio alle Viti 1187
>> 55054 Massarosa (LU)
>> Italy
>> phone: +39 0584 962313
>> fax: +39 0584 962313
>> mob: +39 339 8844549
>>
>> http://www.geo-solutions.it
>> http://twitter.com/geosolutions_it
>>
>> -------------------------------------------------------
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Geoserver-devel mailing list
>> Geoserver-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>
>>
>
>
> --
> Justin Deoliveira
> OpenGeo - http://opengeo.org
> Enterprise support for open source geospatial.
>
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
