I suggest you ...

Make default password enabled by default, inherit server password

I think that the default password should be set by default. I've used railo for 3-4 years and never even knew about this feature, yet its a gaping security hole if you don't visit the web administrator for each site you create and set a password.

32 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    anonymousanonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    5 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Bruce KirkpatrickBruce Kirkpatrick commented  ·   ·  Flag as inappropriate

        I agree that the best security should be the default option since it took me a few weeks until I noticed the default feature too. I never figured out how to get tomcat to use SSL, but if you could make the railo admin only run with SSL connection, have configurable banning for repeated failures and install tomcat with a self-signed certificate for localhost, that would be even better since sending plain text passwords is also undesirable as a default configuration. Later, I fronted apache and used apache ssl instead to do this, but I haven't prevented brute force attacks yet. I'll have to run railo admin on a different port that is blocked by the firewall and mod_rewrite /railo-context/ to fail requests to secure it fully. I've tried to use only secure methods to admin my server. I just realized I could ssh tunnel the insecure tomcat port instead like I've done for mysql using putty to avoid figuring out tomcat ssl.

      • Tim SchottlerTim Schottler commented  ·   ·  Flag as inappropriate

        Definitely would like to see this. Nearly didn't notice that after converting 5 fairly large websites running on a load balanced setup across a couple web servers. Hitting each and every web admin to set a password was a pain, and counter-intuitive after setting the server password.

      • Adrian LynchAdrian Lynch commented  ·   ·  Flag as inappropriate

        I've found sites out there without the web admin password set so it would help.

        (I did email them but heard nothing back!)

      Feedback and Knowledge Base