[wsas-java-dev] Security improvements to WSAS
Sanjiva Weerawarana
sanjiva at wso2.com
Mon Feb 5 06:56:10 PST 2007
Wait wait, why can't the user just edit tungsten.xml and set the stuff up?
Or use a command line tool to configure it if it isn't editable? Basically
we shouldn't *require* *any* admin console actions. It should be possible
to bring up WSAS in a fully safe mode without any human intervention.
Sanjiva.
Samisa Abeysinghe wrote:
> James Clark wrote:
>>> Why should the initial setup be that secure? I do not think anyone
>>> would deploy the initial setup in a production environment.
>>>
>>
>> The short answer is that we should make things secure even for people
>> that are not sophisticated, competent and security-savvy.
>>
>> The simplest, more direct way to get something deployed on some server
>> is to set things up directly on that server. Obviously eBay isn't going
>> to do that, but maybe some overworked admin who's deploying on some
>> virtual hosted system somewhere might do. If they don't deploy it
>> directly, then they have to somehow move it over, which may not be
>> trivial: they may not have any local systems that are similar to the
>> production system. Also think of the case of using WSAS for the mashup
>> server: this is running on users' PCs that are connected directly to the
>> internet.
>>
> So if we make the default password changing to be part of the
> installation process, would that cater for the situation?
>
> Samisa...
>
>
> _______________________________________________
> Wsas-java-dev mailing list
> Wsas-java-dev at wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/wsas-java-dev
>
--
Sanjiva Weerawarana, Ph.D.
Founder, Chairman & CEO; WSO2, Inc.; http://www.wso2.com/
email: sanjiva at wso2.com; cell: +94 77 787 6880; fax: +1 509 691 2000
"Oxygenating the Web Service Platform."
More information about the Wsas-java-dev
mailing list