Harden OpenSSO By Disabling ssoadm.jsp

Notwithstanding that it is still a secret, we've just added a property that allows you to disable the ssoadm.jsp to harden your system and reduce attack vectors. The property is ssoadm.disabled and can be added with a value of true to the Advanced properties.

  1. Log into the OpenSSO console as administrator.
  2. Click the Configuration tab.
  3. Click the Servers and Sites tab.
  4. Click the Server name in the Servers table.
  5. Click the Advanced tab.
  6. Click Add in the Advanced Properties table.
  7. Enter ssoadm.disabled as the Property Name and true as the Property Value.
  8. Click Save.

You can also add this property as a default setting for future server configurations by clicking the Default Server Settings button under the Servers and Sites tab.

And now here's the only song that I know of that uses the word harden. The video is a live performance of Quarterflash singing (and playing saxophone on) Harden My Heart.

Comments:

Why doesn't the ssoadm .jsp page have the same authentication and authorization checks as showServerConfig .jsp, encode .jsp and Debug.jsp?
The ssoadm .jsp MUST implement more authorization, as it is now. It's ALL open for all authenticated users.

By the way, why are these pages hidden at all? shouldn't they be more visible and part of the console?

Posted by Arne Berner on January 17, 2010 at 07:22 PM PST #

Arne, ssoadm.jsp is not a supported part of OpenSSO. It was developed as the web version of the ssoadm command line interface. The other pages you mentioned are supported and thus the differences.

Posted by DocTeger on January 20, 2010 at 12:12 AM PST #

This gives just better reason to why this function should be disabled by default. A hidden and unsupported function like this should not be enabled by default. The authentication and authorization checks is way to weak.
I hope you change the property to: ssoadm.enabled
and set it to:
ssoadm.enabled=false as default.

Posted by Arne Berner on January 20, 2010 at 05:47 PM PST #

Post a Comment:
Comments are closed for this entry.
About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today