[ http://issues.apache.org/jira/browse/JCR-351?page=comments#action_12370188 ]
Stefan Guggisberg commented on JCR-351: --------------------------------------- ok, i agree. > We could even have this behaviour disabled by default, but enabled in the > configuration file > used with the JCR-348 automatic configuration. +1 stefan > Default to superuser access when JAAS is not configured > ------------------------------------------------------- > > Key: JCR-351 > URL: http://issues.apache.org/jira/browse/JCR-351 > Project: Jackrabbit > Type: Improvement > Components: security > Versions: 0.9 > Reporter: Jukka Zitting > Priority: Minor > > Even though JCR-348 made easier to start a Jackrabbit repository with default > configuration, the user still needs to take care of the JAAS configuration. > It would be more user-friendly to log a warning and default to superuser > access rather than throwing a LoginException when JAAS has not been > configured. This behaviour should be limited to only default credential > logins (Session.login() with null Credentials) and it should be possible to > disable it with a configuration option. We could even have this behaviour > disabled by default, but enabled in the configuration file used with the > JCR-348 automatic configuration. > This is a case against the "secure by default" design principle, but I think > that in this case the benefits in easier setup outweight the security > drawbacks, especially if coupled with the above restrictions and a clear > documentation note about the insecure default. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
