[wsas-java-dev] Security improvements to WSAS
James Clark
james at wso2.com
Sun Feb 4 21:58:10 PST 2007
On Mon, 2007-02-05 at 10:57 +0530, Afkham Azeez wrote:
> We need to force the Admin user to change the default password the first
> time he tries to login, since there is a possibility someone may forget
> to change this when WSAS is used in production.
If the Admin user has not yet logged in, what IP addresses is WSAS
listening on? Is there a window of vulnerability between
- the time when WSAS is installed and
- the time when the Admin user changes the default password
during which somebody unauthorized can log in using the default password
from any IP address that can reach the WSAS machine? If so, then perhaps
we need a better scheme.
It's tough to get the initial setup to be both secure and convenient.
James
More information about the Wsas-java-dev
mailing list