Project

General

Profile

feature request #7432

Show default login only if the account has not been changed

Added by Andreas Müller about 2 years ago. Updated about 1 month ago.

Status:
New
Priority:
Highest
Assignee:
Category:
taxeditor
Target version:
Start date:
05/18/2018
Due date:
% Done:

0%

Severity:
normal

Description

Copied from #4256:

Some time ago we discussed this issue and decided that the login dialog should mention the default credentials as long the account has not been changed. This check can easily be done by comparing the login name and the digested password with the contents of the database.

The check can be done with org.springframework.security.authentication.encoding.Md5PasswordEncoder (bean: passwordEncoder) and the Salt (bean: saltSource)

see also #4256#note-19 and #4256#note-20

History

#2 Updated by Andreas Müller about 2 years ago

  • Description updated (diff)

#3 Updated by Andreas Müller about 2 years ago

  • Subject changed from SHow default login only if the account has not been changed to Show default login only if the account has not been changed

#4 Updated by Andreas Müller almost 2 years ago

  • Target version changed from Release 5.1 to Release 5.2

#5 Updated by Andreas Müller almost 2 years ago

  • Target version changed from Release 5.2 to Release 5.3

#6 Updated by Patrick Plitzner over 1 year ago

  • Target version changed from Release 5.3 to Release 5.4

#7 Updated by Patrick Plitzner over 1 year ago

  • Target version changed from Release 5.4 to Release 5.5

#8 Updated by Patrick Plitzner over 1 year ago

  • Target version changed from Release 5.5 to Release 5.6

#9 Updated by Patrick Plitzner over 1 year ago

  • Priority changed from New to Highest

#10 Updated by Patrick Plitzner over 1 year ago

  • Target version changed from Release 5.6 to Reviewed Next Major Release

#11 Updated by Andreas Müller 7 months ago

  • Assignee changed from Patrick Plitzner to Katja Luther

#12 Updated by Andreas Müller about 2 months ago

  • Target version changed from Reviewed Next Major Release to Release 5.15

Another solution could be to show the default password only if the host is localhost or if the instance is "localhost mgd". This covers the usecase that some new user uses the build in H2 DB for testing.
Also we could add a dialogue when a DB is created via the datasource view that the default login is ... and that it should be changed immediately.

The advantage here is that no explicit server call is needed (for comparing the existing password). The disadvantage is that DB admins are not immediately informed about the fact that the default password is still in use. But this later check could also be included into the CDM Server user interface where it is more secure to show the information as ordinary users do not have access to it and usually those having access are administrators anyway.

#13 Updated by Andreas Müller about 2 months ago

WGB:

Und im Login-Dialog stolpere ich jedes mal über die Angabe des Defaults (admin, ...) – die ist doch klar unsinnig? (Hoffentlich!)

#14 Updated by Andreas Kohlbecker about 2 months ago

Andreas Müller wrote:

Another solution could be to show the default password only if the host is localhost or if the instance is "localhost mgd". This covers the usecase that some new user uses the build in H2 DB for testing.
Also we could add a dialogue when a DB is created via the datasource view that the default login is ... and that it should be changed immediately.

The advantage here is that no explicit server call is needed (for comparing the existing password). The disadvantage is that DB admins are not immediately informed about the fact that the default password is still in use. But this later check could also be included into the CDM Server user interface where it is more secure to show the information as ordinary users do not have access to it and usually those having access are administrators anyway.

A further possibilities are:

  • Show a help text when a first login attempt has failed, this text could include the information on the default user
  • Check for the default user credentials via web service authentication, this is a quick http request and does not require bootstrapping the spring context or a working db connection via hibernate etc.
  • ...

#15 Updated by Katja Luther about 1 month ago

  • Target version changed from Release 5.15 to Release 5.16

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 40 MB)