[jira] Resolved: (JS2-372) Simplify default Jetspeed password credential security configuration

Thu, 22 Sep 2005 14:49:56 -0700 

     [ http://issues.apache.org/jira/browse/JS2-372?page=all ]
     
Ate Douma resolved JS2-372:
---------------------------

    Resolution: Fixed

> Simplify default Jetspeed  password credential security configuration
> ---------------------------------------------------------------------
>
>          Key: JS2-372
>          URL: http://issues.apache.org/jira/browse/JS2-372
>      Project: Jetspeed 2
>         Type: Improvement
>   Components: Assembly/Configuration, Security
>     Versions: 2.0-M4
>     Reporter: Ate Douma
>     Assignee: Ate Douma
>      Fix For: 2.0-M4

>
> The current Jetspeed user (login) security configuration is quite strict and 
> can be overwelming for first time users.
> There also have been numerous questions (and complaints) on the lists about 
> how this works and/or how to change/simplify this.
> But, the current implementation of the password credential handling was not 
> yet flexible enough to provide a more simple solution without throwing out
> too much functionality.
> With the new password credential interceptors (see JS2-359) and improvements 
> on password expiration management and default "change password on first 
> login" (see JS2-371), this all now becomes much easier.
> Thus, once the above two issues are completed, I will change the default 
> (demo) configuration as follows:
> - passwords only need to be non-empty
> - passwords are still MessageDigest encoded
> - password expiration functionality is no longer configured
> - password history is no longer maintained
> - authentication failures no longer lead to disabling the password credential
> - only for the admin user, change of the password is required on first login
> Although this isn't exactly a "production ready" setup in my opinion, its 
> fine as the default out-of-the-box configuration for Jetspeed.
> And with also provided new online documentation, it will be quite simple to 
> change the configuration as one sees fit.
> An example how to restore the current "strict" security configuration will 
> also be part of the provided documentation. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to