[wsas-java-dev] Security improvements to WSAS

James Clark james at wso2.com
Tue Feb 6 21:11:46 PST 2007 

On Wed, 2007-02-07 at 09:32 +0530, Afkham Azeez wrote:
> James Clark wrote:
> > Possibilities I can think of:
> > 
> > a) provide a command-line tool that sets the initial password; the admin
> > would need to run this command explicitly before WSAS would startup; it
> > would be able to read the password from stdin, so it wouldn't have to be
> > run interactively
> 
> We need to force the user to do this. Aren't we are making it simpler by
> giving the user a prompt during the first startup, instead of first
> asking the user to run toolX and change password(which is going to be
> interactive anyway), and then start WSAS?

The point is that running toolX wouldn't have to be interactive (and
would also take care of starting WSAS).

The problem with a prompt during first startup is that installing an
rpm/deb for a daemon is supposed to both install the daemon and run the
daemon's startup script (assuming the system isn't running single user),
and installing an rpm/deb HAS to work non-interactively. So if you want
to interactively prompt the user to do something, then that has to be
done via a command that the user runs explicitly, separately from the
rpm/deb installation. (It is possible with .deb for the user to supply
additional config information interactively, but that the package has to
interact with the user using debconf, and there have to be default
values so that it can work non-interactively.)

I suspect the right solution here is going to be system-dependent. With
MSI, if you're performing the installation non-interactively, then the
most natural thing would be to specify the password during the
installation.

In the Linux case, if the user is running WSAS on their workstation and
they have a desktop installed, then maybe the best thing would be to add
a WSAS entry to their start menu (this is a good thing to have anyway,
regardless of the current discussion). Normally, this would entry would
simply run their default web browser and point it to the port on which
the admin server is running.  But if the admin password hasn't been set
yet, it would run a trivial little GUI app that would ask for a password
and configure WSAS with that, before running the web browser.

James

More information about the Wsas-java-dev mailing list