[Geoserver-devel] [jira] (GEOS-5606) Add a possibility to obtain a forgotten master password

Christian Mueller created ImprovementGEOS-5606
Add a possibility to obtain a forgotten master password

Issue Type:

ImprovementImprovement

Affects Versions:

2.3-beta1

Assignee:

Christian Mueller

Components:

Security

Created:

26/Jan/13 9:16 AM

Description:

Add a simple page on the GUI giving an admin the possibility to dump the master password to a file.

The name of the file acts as the shared secret between the admin and GeoServer.

There is a new public API

GeoserverSecurityManager.dumpMasterPassword(File file)

The following countermeasures should prevent misuse:

  1. The code triggers a stack trace and checks the caller. At the moment, only two methods are allowed to call this method, one test method and a second method

MasterPasswordInfoPage.dumpMasterPassword()

  1. The MasterPasswordInfoPage class has package visibility (all members too).

  2. The above class is in the package org.geoserver.security.web.password. This package is sealed.

Fix Versions:

2.3-RC1

Project:

GeoServer

Priority:

MajorMajor

Reporter:

Christian Mueller

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your [JIRA administrators](https://jira.codehaus.org/secure/ContactAdministrators!default.jspa). For more information on JIRA, see: [http://www.atlassian.com/software/jira](http://www.atlassian.com/software/jira)