[wsas-java-dev] Security improvements to WSAS

Fri Feb 9 01:20:24 PST 2007

I have an alternative to these solutions. Its a little more work but.....

The idea is that we customize the install for each user. The user comes 
onto our site and selects the OS, install pack, and any other 
customization that might be useful (ports for the server for example). 
They also give us their email address. We generate a secure random admin 
password, create a small update to the base RPM/ZIP/MSI and then they 
download the customized install package. And we mail them the password.

The downside to this is that it might inhibit users downloading our 
system. It also might be a bit slower to create the download.

The upside is: 1) we solve the security problem before they install the 
RPM. 2) we get a much better idea of how and on what platform users are 
installing WSAS. We could also expand the idea into doing more custom 
building - perhaps including various combinations of our components to 
give users exactly what they want.

Of course in the first instance I would recommend that if we did this, 
we should run it in parallel to the existing static download. We could 
document on the website that if you want a secure install, you should 
choose the dynamic install package.

Paul

Afkham Azeez wrote:
> James Clark wrote:
>> Possibilities I can think of:
>>
>> a) provide a command-line tool that sets the initial password; the admin
>> would need to run this command explicitly before WSAS would startup; it
>> would be able to read the password from stdin, so it wouldn't have to be
>> run interactively
> 
> We need to force the user to do this. Aren't we are making it simpler by
> giving the user a prompt during the first startup, instead of first
> asking the user to run toolX and change password(which is going to be
> interactive anyway), and then start WSAS?
> 
>> b) generate a random default password on installation and write it to a
>> file that is readable only by root (or whoever ran the installation); on
>> first login require the admin to enter that password and change it to
>> another password
> 
> Hmm, this seems like too much work for the user. He has to locate this
> file, copy the password, login to the Mgt Console, paste it, and change
> the password.
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Wsas-java-dev mailing list
> Wsas-java-dev at wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/wsas-java-dev

-- 
Paul Fremantle
VP/Technology and Partnerships, WSO2
OASIS WS-RX TC Co-chair

http://bloglines.com/blog/paulfremantle
paul at wso2.com
(646) 290 8050

"Oxygenating the Web Service Platform", www.wso2.com