Glenn,
I think their is a different, although related problem.
1) JetspeedDBSecurity does not use the JR.p
services.JetspeedSecurity.logon.auto.disable. JetspeedDBSecurity should
be updated to use the property
2) JLogin and UserUpdateAction should use
services.JetspeedSecurity.logon.auto.disable, not logon.auto.disble.
Paul Spencer
Glenn Golden wrote:
> Well, the consensus from the list was to leave in the auto.disable feature,
> even though it makes it easy to disable anyone's account - 3 quick entries
> of your foe's user id with junk passwords and that foe cannot use the system
> anymore, until the administrator restores the account.
>
> And if you happen to know the admin user id, well, you can shut that down,
> too.
>
> And further, you cannot turn this feature off! The jr.p is incorrect, or
> inconsistent with the code, in the line it has to enable this feature - and
> all the code, if it can't find a setting in the jr.p, assumes that the
> feature is on!
>
> The code (JLoginUser and UserUpdateAction) uses:
>
> JetspeedResources.getBoolean("logon.auto.disable", true)
>
> Jr.p has:
>
> services.JetspeedSecurity.logon.auto.disable=true
>
> These are NOT the same.
>
> So, shall we fix jr.p to have:
>
> logon.auto.disable=true
>
> ?
>
> - Glenn
>
> --------------------------------------------
> Glenn R. Golden, Systems Research Programmer
> University of Michigan School of Information
> [EMAIL PROTECTED] 734-615-1419
> --------------------------------------------
>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
