[wsas-java-dev] Security improvements to WSAS
Afkham Azeez
azeez at wso2.com
Mon Feb 5 23:54:22 PST 2007
We have a non-interactive startup mode. At the moment, we need to export
JAVA_OPTS="-Dwso2wsas.admin.password=xyz" before starting up WSAS. Then
the during startup WSAS will not prompt you for a password.
Another thing we can do is;
./wso2wsas.sh --admin-password xyz
-- Azeez
James Clark wrote:
>> So, the admin user's password has to be entered for the first time when
>> WSAS is started up. WSAS will not start up until this is set. It is a
>> small price to pay for a more secure application.
>>
>> What do you think about this approach? Is there a better approach?
>
> Making initial startup non-interactive is not acceptable. Things need
> to be automatable. In the Linux world at least, both initial package
> installation and system startup are not expected to require user
> interaction.
>
> Possibilities I can think of:
>
> a) provide a command-line tool that sets the initial password; the admin
> would need to run this command explicitly before WSAS would startup; it
> would be able to read the password from stdin, so it wouldn't have to be
> run interactively
>
> b) generate a random default password on installation and write it to a
> file that is readable only by root (or whoever ran the installation); on
> first login require the admin to enter that password and change it to
> another password
>
> The problem with both these is discoverability. How can we make it easy
> for the admin to discover what they have to do to get started? Can we
> arrange that if the admin hasn't logged in yet, then going to the admin
> URL will just display a (non-password protected) page telling the admin
> what they need to do?
>
> James
>
>
>
>
--
Afkham Azeez
GPG Fingerprint: 643F C2AF EB78 F886 40C9 B2A2 4AE2 C887 665E 0760
http://www.wso2.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://wso2.org/pipermail/wsas-java-dev/attachments/20070206/fa1590b8/signature.pgp
More information about the Wsas-java-dev
mailing list