From: Alessandro V. <av...@sc...> - 2007-02-02 03:09:42
|
Hi Daniel, Daniel E. Renfer wrote: > > I don't see why you would say that the guest password would be sent in > the clear. If a username and password is provided in the > datasource.xml file then wouldn't a user have no access to it? I mean, > aside from a MitM attack between the Orbeon Forms server and the eXist > serer that is. Is that even possible if exist is running in an > embedded context? I wouldn't think so. > I agree. And since in most cases eXist will run on the same server or even the same Tomcat as Orbeon Forms, communication between the 2 stays local, and there is no reason to be concerned with the password being transmitted in clear. My point was that assuming you prevent the eXist port from being accessed from the outside, you don't gain much by having a password for guest: that password will stored in clear on disk by your Orbeon Forms application as it needs it, and so if someone manages to get access to the machine, they can easily access that file with the password, and then access eXist. So in most of the cases I see, there is really no need to change the guest password. Alex -- Orbeon Forms - Web Forms for the Enterprise, Done the Right Way http://www.orbeon.com/ -- View this message in context: http://www.nabble.com/eXist-and-Orbeon-Forms.-Problem-when-changing-the-password-of-the-guest-user-tf3143727.html#a8761078 Sent from the exist-open mailing list archive at Nabble.com. |