Well, the consensus from the list was to leave in the auto.disable feature,
even though it makes it easy to disable anyone's account - 3 quick entries
of your foe's user id with junk passwords and that foe cannot use the system
anymore, until the administrator restores the account.
And if you happen to know the admin user id, well, you can shut that down,
too.
And further, you cannot turn this feature off! The jr.p is incorrect, or
inconsistent with the code, in the line it has to enable this feature - and
all the code, if it can't find a setting in the jr.p, assumes that the
feature is on!
The code (JLoginUser and UserUpdateAction) uses:
JetspeedResources.getBoolean("logon.auto.disable", true)
Jr.p has:
services.JetspeedSecurity.logon.auto.disable=true
These are NOT the same.
So, shall we fix jr.p to have:
logon.auto.disable=true
?
- Glenn
--------------------------------------------
Glenn R. Golden, Systems Research Programmer
University of Michigan School of Information
[EMAIL PROTECTED] 734-615-1419
--------------------------------------------
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
