-
1. Re: security in the console
tom.baeyens Jun 15, 2007 3:49 AM (in response to tom.baeyens)i also removed the comments in the web.xml about the security warning around the gpd deployment servlet. that should be in the documentation, i think.
in 3.2.1 it's doing to take to long to fix this as we would have to fork and make a new release of the old designer. so in 3.2.1, i still want an open gpd deployment servlet and a warning is most appropriate in the release notes, i think.
then in 3.2.2, i want the GPD to add authentication info to the request that uploads the servlet and the servlet should be secured. then, users can control the authorization by just logging into the webapp and removing the gpd user.
this plays out nicely with the users on the login page. cause when people remove the users, then nobody will be allowed to upload a new process definition.
btw, it would be good if you could add minimal documentation for the console in the user guide. 2 or 3 pages is already a good start. it could cover deployment and usage. -
2. Re: security in the console
dmlloyd Jun 15, 2007 9:34 AM (in response to tom.baeyens)"tom.baeyens@jboss.com" wrote:
i think that exposing the usernames and passwords on the home page is good. then it's good for evaluation purposes. and also people know immediately that you can't put this into production as is. with the god identity management UI that you've added, people can easily delete all users and avoid that security risk.
But you can put this into production as is! That's the whole point. Just change the config files.
Putting the user names on the login page means that the user actually has to change the xhtml to put this into production. I think that this steps over the line and makes the console worse for both evaluation and deployment. It's a far greater benefit to the end user to just drop it in to their development environment and immediately become productive. I believe it's more valuable for our customers as well. -
3. Re: security in the console
dmlloyd Jun 15, 2007 10:53 AM (in response to tom.baeyens)"tom.baeyens@jboss.com" wrote:
i also removed the comments in the web.xml about the security warning around the gpd deployment servlet. that should be in the documentation, i think.
Fine, we can put it in the documentation - but we should also put it back in the web.xml. It does no harm being there, and it is an important indication that there is a security issue. Which there is. With security, you can not have too many warnings.