feature request #7432
open
Show default login only if the account has not been changed
Added by Andreas Müller almost 6 years ago.
Updated about 3 years ago.
Description
Copied from #4256:
Some time ago we discussed this issue and decided that the login dialog should mention the default credentials as long the account has not been changed. This check can easily be done by comparing the login name and the digested password with the contents of the database.
The check can be done with org.springframework.security.authentication.encoding.Md5PasswordEncoder (bean: passwordEncoder) and the Salt (bean: saltSource)
see also #4256#note-19 and #4256#note-20
- Description updated (diff)
- Subject changed from SHow default login only if the account has not been changed to Show default login only if the account has not been changed
- Target version changed from Release 5.1 to Release 5.2
- Target version changed from Release 5.2 to Release 5.3
- Target version changed from Release 5.3 to Release 5.4
- Target version changed from Release 5.4 to Release 5.5
- Target version changed from Release 5.5 to Release 5.6
- Priority changed from New to Highest
- Target version changed from Release 5.6 to Reviewed Next Major Release
- Assignee changed from Patrick Plitzner to Katja Luther
- Target version changed from Reviewed Next Major Release to Release 5.15
Another solution could be to show the default password only if the host is localhost or if the instance is "localhost mgd". This covers the usecase that some new user uses the build in H2 DB for testing.
Also we could add a dialogue when a DB is created via the datasource view that the default login is ... and that it should be changed immediately.
The advantage here is that no explicit server call is needed (for comparing the existing password). The disadvantage is that DB admins are not immediately informed about the fact that the default password is still in use. But this later check could also be included into the CDM Server user interface where it is more secure to show the information as ordinary users do not have access to it and usually those having access are administrators anyway.
WGB:
Und im Login-Dialog stolpere ich jedes mal über die Angabe des Defaults (admin, ...) – die ist doch klar unsinnig? (Hoffentlich!)
Andreas Müller wrote:
Another solution could be to show the default password only if the host is localhost or if the instance is "localhost mgd". This covers the usecase that some new user uses the build in H2 DB for testing.
Also we could add a dialogue when a DB is created via the datasource view that the default login is ... and that it should be changed immediately.
The advantage here is that no explicit server call is needed (for comparing the existing password). The disadvantage is that DB admins are not immediately informed about the fact that the default password is still in use. But this later check could also be included into the CDM Server user interface where it is more secure to show the information as ordinary users do not have access to it and usually those having access are administrators anyway.
A further possibilities are:
- Show a help text when a first login attempt has failed, this text could include the information on the default user
- Check for the default user credentials via web service authentication, this is a quick http request and does not require bootstrapping the spring context or a working db connection via hibernate etc.
- ...
- Target version changed from Release 5.15 to Release 5.18
- Status changed from New to In Progress
Implemented now that default login is shown only for localhost mgd. (v 5.15)
- Target version changed from Release 5.18 to Release 5.19
- Target version changed from Release 5.19 to Release 5.21
- Target version changed from Release 5.21 to Release 5.22
- Target version changed from Release 5.22 to Release 5.46
Also available in: Atom
PDF