Thursday Nov 05, 2009
Harden OpenSSO By Disabling ssoadm.jsp
Notwithstanding that it is still a secret, we've just added a property that allows you to disable the ssoadm.jsp to harden your system and reduce attack vectors. The property is ssoadm.disabled and can be added with a value of true to the Advanced properties.
- Log into the OpenSSO console as administrator.
- Click the Configuration tab.
- Click the Servers and Sites tab.
- Click the Server name in the Servers table.
- Click the Advanced tab.
- Click Add in the Advanced Properties table.
- Enter
ssoadm.disabledas the Property Name andtrueas the Property Value. - Click Save.
Posted at 04:52PM Nov 05, 2009 by Michael Teger in Sun | Comments[3]
Why doesn't the ssoadm .jsp page have the same authentication and authorization checks as showServerConfig .jsp, encode .jsp and Debug.jsp?
The ssoadm .jsp MUST implement more authorization, as it is now. It's ALL open for all authenticated users.
By the way, why are these pages hidden at all? shouldn't they be more visible and part of the console?
Posted by Arne Berner on January 18, 2010 at 03:22 AM PST #
Arne, ssoadm.jsp is not a supported part of OpenSSO. It was developed as the web version of the ssoadm command line interface. The other pages you mentioned are supported and thus the differences.
Posted by DocTeger on January 20, 2010 at 08:12 AM PST #
This gives just better reason to why this function should be disabled by default. A hidden and unsupported function like this should not be enabled by default. The authentication and authorization checks is way to weak.
I hope you change the property to: ssoadm.enabled
and set it to:
ssoadm.enabled=false as default.
Posted by Arne Berner on January 21, 2010 at 01:47 AM PST #