On 29/06/16 14:26, Robbie Gemmell wrote:
On 29 June 2016 at 14:11, Gordon Sim <[email protected]> wrote:
On 29/06/16 13:43, Robbie Gemmell wrote:
I personally dislike
examples using ANONYMOUS, though I can see the appeal that it avoids
particular credentials, and may be easier out the box for certain
servers. There are of course also other servers out there that dont do
ANONYMOUS by default / especially obviously / at all.
Personally I think for servers, having anonymous enabled by default is safer
than having a predefined guest user. However...
I see them as equally poor in terms of end state security, but the
latter at least requires using the functionality needed to
authenticate once you change the credentials.
For clients, I agree that making it easy to use examples with full
authentication is valuable.
For *servers*, I don't think anything is learned by having a pre-created
user and I'd argue it's perhaps easier to forget to remove it than it is
to disable anonymous.
I think having anonymous disabled by default is a perfectly sensible
choice (especially if it is easy to enable it and the process for doing
so is documented in an easy to find location). Adding a dummy user seems
much less desirable to me.
However, my focus at present is really just about the client side and
whether the examples could be made more flexible. That would make them
more useful against different servers with different views on default
configurations.
More complete patch for comments: https://reviews.apache.org/r/49380/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
