Permalink
Browse files

make digest default authentication in defaults/web.xml

  • Loading branch information...
reger24 committed Mar 15, 2017
1 parent 56d0a87 commit f7fce1baade428f1748414cd169e65359694ee45
Showing with 1 addition and 1 deletion.
  1. +1 −1 defaults/web.xml
@@ -122,7 +122,7 @@
changing the peer name will invalidate all passwords
!!! Attention !!! prior to change this to DIGEST you have to reenter your password
to calculate a correct password hash -->
<auth-method>BASIC</auth-method>
<auth-method>DIGEST</auth-method>
</login-config>
<!-- Roles -->

4 comments on commit f7fce1b

@luccioman

This comment has been minimized.

Member

luccioman replied Mar 17, 2017

Hi @reger24 , what is a bit annoying is that with digest authentication bash scripts from bin/ and the stopYACY.sh script fail when unauthenticated access from localhost is disabled... because with curl and wget the password has to be specified in clear-text in the command line.
Using the encoded value from adminAccountBase64MD5 worked in basic authentication mode because curl/wget send it unmodified in that case and specific code for that case is running server side.

We can fix this by making bash scripts interactive (no password in curl command line, and "--ask-password" with wget make these tools prompt for password), and/or consider filling an environment variable with the clear-text password as a prerequisite to running these scripts. What do you think?
Keeping BASIC authentication as default but enabling TLS (https) as default could be another viable and maybe more secure option...

@reger24

This comment has been minimized.

Member

reger24 replied Mar 17, 2017

Hm, @luccioman
have to look if I see a other solution as going back to stone-age (nowhere recommended) BASIC auth.
As quickfix one can copy web.xml to DATA/SETTINGS/web.xml with setting BASIC .
The web.xml in DATA/settings takes preference and overwrites on startup the (now) default DIGEST.

@reger24

This comment has been minimized.

Member

reger24 replied Mar 18, 2017

@luccioman ,
I like your idea with the pwd in a environment variable, This would allow setting it manual, per script, even interactively. I'd the DIGEST option as default a long time in mind, as it is not nice today to send pwd's more or less clear text over the net (as default .... and by this our recommended way).

A other brutal force way would be (like Tomcat) using a separate shutdown socket/port, with the possible advantage that it might still work to shutdown yacy if we still get a hanging webfrontend (as bug reported and experienced in the past).

@luccioman

This comment has been minimized.

Member

luccioman replied Mar 21, 2017

@reger24 you are probably right, in the end Basic authentication as default is not a good idea because it is two easy to forget using https when authenticating on a remote peer.
I refactored a bit the shell scripts (see 29e5110) to make them reliable and work with the various currently available authentication methods. I hope I covered enough test scenarios.

For now I did not include your new shutdown method in the existing shutdown script, but I guess it should be considered.

Have a nice day.

Please sign in to comment.