Project

General

Profile

Actions

feature request #7432

open

Show default login only if the account has not been changed

Added by Andreas Müller over 4 years ago. Updated almost 2 years ago.

Status:
In Progress
Priority:
Highest
Assignee:
Category:
taxeditor
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Severity:
normal

Description

Copied from #4256:

Some time ago we discussed this issue and decided that the login dialog should mention the default credentials as long the account has not been changed. This check can easily be done by comparing the login name and the digested password with the contents of the database.

The check can be done with org.springframework.security.authentication.encoding.Md5PasswordEncoder (bean: passwordEncoder) and the Salt (bean: saltSource)

see also #4256#note-19 and #4256#note-20

Actions #2

Updated by Andreas Müller over 4 years ago

  • Description updated (diff)
Actions #3

Updated by Andreas Müller over 4 years ago

  • Subject changed from SHow default login only if the account has not been changed to Show default login only if the account has not been changed
Actions #4

Updated by Andreas Müller over 4 years ago

  • Target version changed from Release 5.1 to Release 5.2
Actions #5

Updated by Andreas Müller over 4 years ago

  • Target version changed from Release 5.2 to Release 5.3
Actions #6

Updated by Patrick Plitzner over 4 years ago

  • Target version changed from Release 5.3 to Release 5.4
Actions #7

Updated by Patrick Plitzner over 4 years ago

  • Target version changed from Release 5.4 to Release 5.5
Actions #8

Updated by Patrick Plitzner over 4 years ago

  • Target version changed from Release 5.5 to Release 5.6
Actions #9

Updated by Patrick Plitzner almost 4 years ago

  • Priority changed from New to Highest
Actions #10

Updated by Patrick Plitzner almost 4 years ago

  • Target version changed from Release 5.6 to Reviewed Next Major Release
Actions #11

Updated by Andreas Müller about 3 years ago

  • Assignee changed from Patrick Plitzner to Katja Luther
Actions #12

Updated by Andreas Müller almost 3 years ago

  • Target version changed from Reviewed Next Major Release to Release 5.15

Another solution could be to show the default password only if the host is localhost or if the instance is "localhost mgd". This covers the usecase that some new user uses the build in H2 DB for testing.
Also we could add a dialogue when a DB is created via the datasource view that the default login is ... and that it should be changed immediately.

The advantage here is that no explicit server call is needed (for comparing the existing password). The disadvantage is that DB admins are not immediately informed about the fact that the default password is still in use. But this later check could also be included into the CDM Server user interface where it is more secure to show the information as ordinary users do not have access to it and usually those having access are administrators anyway.

Actions #13

Updated by Andreas Müller almost 3 years ago

WGB:

Und im Login-Dialog stolpere ich jedes mal über die Angabe des Defaults (admin, ...) – die ist doch klar unsinnig? (Hoffentlich!)

Actions #14

Updated by Andreas Kohlbecker almost 3 years ago

Andreas Müller wrote:

Another solution could be to show the default password only if the host is localhost or if the instance is "localhost mgd". This covers the usecase that some new user uses the build in H2 DB for testing.
Also we could add a dialogue when a DB is created via the datasource view that the default login is ... and that it should be changed immediately.

The advantage here is that no explicit server call is needed (for comparing the existing password). The disadvantage is that DB admins are not immediately informed about the fact that the default password is still in use. But this later check could also be included into the CDM Server user interface where it is more secure to show the information as ordinary users do not have access to it and usually those having access are administrators anyway.

A further possibilities are:

  • Show a help text when a first login attempt has failed, this text could include the information on the default user
  • Check for the default user credentials via web service authentication, this is a quick http request and does not require bootstrapping the spring context or a working db connection via hibernate etc.
  • ...
Actions #15

Updated by Katja Luther almost 3 years ago

  • Target version changed from Release 5.15 to Release 5.18
Actions #16

Updated by Andreas Müller over 2 years ago

  • Status changed from New to In Progress

Implemented now that default login is shown only for localhost mgd. (v 5.15)

Actions #17

Updated by Katja Luther about 2 years ago

  • Target version changed from Release 5.18 to Release 5.19
Actions #18

Updated by Andreas Müller about 2 years ago

  • Target version changed from Release 5.19 to Release 5.21
Actions #19

Updated by Katja Luther almost 2 years ago

  • Target version changed from Release 5.21 to Release 5.22
Actions #20

Updated by Katja Luther almost 2 years ago

  • Target version changed from Release 5.22 to Release 5.38
Actions

Also available in: Atom PDF