[DOCU-2093] Doc Site Feedback Created: 21/Dec/20  Updated: 12/Apr/21  Resolved: 11/Jan/21

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Jan Schulte Assignee: Ashraf Khamis
Resolution: Won't Do Votes: 0
Labels: services
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Documentation page URL: https://docs.magnolia-cms.com/product-docs/Administration/Security/Security-best-practices.html
Reporter Name: Jan Schulte
Email: jan.schulte@magnolia-cms.com

 Comments   
Comment by Ashraf Khamis [ 11/Jan/21 ]

Roman: "That password is just used internally, so it probably doesn't make sense to hide it."

See also https://docs.magnolia-cms.com/product-docs/Administration/Architecture/Configuration-management.html#_defining_properties:

Jackrabbit uses the default admin values of magnolia.connection.jcr.password and magnolia.connection.jcr.userId to initialize its internal admin account to access the repository. When Magnolia initializes the session, it uses the same parameters to connect to the repository to obtain the session before logging in the user.

There is no security risk with those values because they are used only internally to communicate between Magnolia and Jackrabbit and are not exposed to the outside world. With those credentials, you cannot log in to the repository via UI or externally since Magnolia keeps exclusive access to it.

Closing the ticket as Won't Do.

Generated at Mon Feb 12 01:23:59 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.