[Seaside-dev] Re: Initialize /seaside/config with random password?
Julian Fitzell
jfitzell at gmail.com
Mon Sep 22 07:16:08 UTC 2008
On Mon, Sep 22, 2008 at 6:45 AM, Philippe Marschall
<philippe.marschall at gmail.com> wrote:
> 2008/9/22 Philippe Marschall <philippe.marschall at gmail.com>:
>> Hi
>>
>> I wanted to open this for discussion:
>>
>> Right now the configuration application has no password. One of the
>> reasons for this is that we want the code to load without user
>> interaction. This troubles we because even today there are publicly
>> accessible Seaside applications online that have default username and
>> password.
>>
>> A possible solution for this would be to set the password to a random
>> one during loading. Then the user would have to use WAAdmin to set the
>> password to something he knows. AFAIK several other web frameworks use
>> this approach.
>
> What I wanted to add is that in the permission denied message we could
> even tell the user what he has to do.
We could also force the user to pick a password when first logging
into the web interface. This isn't quite as secure because if they
never used the admin interface but left it running in production
somebody else could set a password and get in... but it's more
convenient. Depends what balance we want to strike... I think most
people either (a) use the web interface or (b) know what they're
doing.
Julian
More information about the seaside-dev
mailing list