Hello dear sir,
In Geoserver 1.6.0, I find a problem. We can see
"The default is user=admin and password=geoserver. You can change these by editing GEOSERVER_DATA_DIR/security/users.properties; see Web Admin Tool Introduction for details."in the URL
“http://localhost:8080/geoserver60/admin/login.do”. I try to visit the “http://localhost:8080/geoserver60/data/security/users.properties”. To my surprise, it displays
“# This is the admnistrator (as well as whoever else has the ROLE_ADMINISTRATOR attached) admin=geoserver,ROLE_ADMINISTRATOR # These are sample users you may uncomment if you want to test locking down wfs (see service.properties) #wfst=wfst,ROLE_WFS_READ,ROLE_WFS_WRITE wfs=wfs,ROLE_WFS_READ”
So everyone know the usernames and passwords, and can visit the config page. Is it safe? Is there something wrong?
领海5月即将开盘!100-140㎡阔水舒宅,海湾印象
Hello,
To my mind, it is your environnement which is not safe.
First, you should read the page about setting geoserver in a production environnement (http://geoserver.org/display/GEOSDOC/6+GeoServer+in+Production+Environment). The main things to do is to move the data subdirectory outside the web application and configure geoserver to use this directory : it works fine.
Then, you should perhaps configure your application container to forbid the browse of the files and directories which are not html or jsp pages.
Cheers,
Alexandre Gacon
2008/3/4 Yang Zhaohui <yangzhaozhao2008@…887…>:
Hello dear sir,
In Geoserver 1.6.0, I find a problem. We can see
"The default is user=admin and password=geoserver. You can change these by editing GEOSERVER_DATA_DIR/security/users.properties; see Web Admin Tool Introduction for details."in the URL
“http://localhost:8080/geoserver60/admin/login.do”. I try to visit the “http://localhost:8080/geoserver60/data/security/users.properties”. To my surprise, it displays
“# This is the admnistrator (as well as whoever else has the ROLE_ADMINISTRATOR attached) admin=geoserver,ROLE_ADMINISTRATOR # These are sample users you may uncomment if you want to test locking down wfs (see service.properties) #wfst=wfst,ROLE_WFS_READ,ROLE_WFS_WRITE wfs=wfs,ROLE_WFS_READ”
So everyone know the usernames and passwords, and can visit the config page. Is it safe? Is there something wrong?
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Yang Zhaohui ha scritto:
Hello dear sir,
In Geoserver 1.6.0, I find a problem. We can see
"The default is user=admin and password=geoserver. You can change these by editing GEOSERVER_DATA_DIR/security/users.properties; see Web Admin Tool Introduction for details."in the URL
"http://localhost:8080/geoserver60/admin/login.do"\. I try to visit the "http://localhost:8080/geoserver60/data/security/users.properties"\. To my surprise, it displays
"# This is the admnistrator (as well as whoever else has the ROLE_ADMINISTRATOR attached) admin=geoserver,ROLE_ADMINISTRATOR # These are sample users you may uncomment if you want to test locking down wfs (see service.properties) #wfst=wfst,ROLE_WFS_READ,ROLE_WFS_WRITE wfs=wfs,ROLE_WFS_READ"
So everyone know the usernames and passwords, and can visit the config page. Is it safe? Is there something wrong?
Wow, this is a major security breach, and it happens when you deploy
a GeoServer .war file without defining an external data directory.
We did roll out a server to hide services.xml and catalog.xml, but
when moving to 1.6.x we did not extend it to cover the security
folderl, arg!
Opened a jira issue here:
http://jira.codehaus.org/browse/GEOS-1785
Thanks a ton for reporting it. For the moment, I suggest everyone
to setup an external data directory (it's good practice anyways
as it allows you to upgrade GeoServer in an easier way).
We'll try to deal with this one shortly.
Cheers
Andrea
I would also like to remind you that if you in any case, decide not to use the Geoserver's security module, you have to switch it off. Like I needed data level authentication and because of that, I decided to use virtual hosts in Tomcat and authenticate them with OpenLdap+JNDI. But of course I forgot to shut Geoserver's own security off and did a lot of head banging before I released what was going on.
But remember, if you switch it off, you're on your own!
reg
mika
Andrea Aime kirjoitti:
Yang Zhaohui ha scritto:
Hello dear sir,
In Geoserver 1.6.0, I find a problem. We can see
"The default is user=admin and password=geoserver. You can change these by editing GEOSERVER_DATA_DIR/security/users.properties; see Web Admin Tool Introduction for details."in the URL
"http://localhost:8080/geoserver60/admin/login.do"\. I try to visit the "http://localhost:8080/geoserver60/data/security/users.properties"\. To my surprise, it displays
"# This is the admnistrator (as well as whoever else has the ROLE_ADMINISTRATOR attached) admin=geoserver,ROLE_ADMINISTRATOR # These are sample users you may uncomment if you want to test locking down wfs (see service.properties) #wfst=wfst,ROLE_WFS_READ,ROLE_WFS_WRITE wfs=wfs,ROLE_WFS_READ"
So everyone know the usernames and passwords, and can visit the config page. Is it safe? Is there something wrong?
Wow, this is a major security breach, and it happens when you deploy
a GeoServer .war file without defining an external data directory.
We did roll out a server to hide services.xml and catalog.xml, but
when moving to 1.6.x we did not extend it to cover the security
folderl, arg!
Opened a jira issue here:
http://jira.codehaus.org/browse/GEOS-1785
Thanks a ton for reporting it. For the moment, I suggest everyone
to setup an external data directory (it's good practice anyways
as it allows you to upgrade GeoServer in an easier way).
We'll try to deal with this one shortly.
Cheers
Andrea
------------------------------------------------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
------------------------------------------------------------------------
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Lehtonen, Mika ha scritto:
I would also like to remind you that if you in any case, decide not to use the Geoserver's security module, you have to switch it off. Like I needed data level authentication and because of that, I decided to use virtual hosts in Tomcat and authenticate them with OpenLdap+JNDI. But of course I forgot to shut Geoserver's own security off and did a lot of head banging before I released what was going on.
But remember, if you switch it off, you're on your own!
Should anybody need them, some info on the security subsystem and how to disable it are here:
http://geoserver.org/display/GEOSDOC/5+Security+subsystem
Cheers
Andrea
It runs well. Thank a lot everyone!
--
View this message in context: http://www.nabble.com/The-security-of-the-Geoserver-1.6.0---tp15819501p15827778.html
Sent from the GeoServer - User mailing list archive at Nabble.com.