Build Forge Security: secure user login vs. secure session
Build Forge installs a secure login mechanism by default when you give a login/password pair on the Security Configuration panel during installation.
During login, you are shown a login panel over https. This is managed by an authentication servlet. The login credentials are encrypted when they are sent to the BF console.
After login authentication, BF uses http by default for sessions. In order to implement secure sessions, you need to set up https/ssl as described in the installation guide.
See WI 20673 - the use of the secure login will be described more clearly.
During login, you are shown a login panel over https. This is managed by an authentication servlet. The login credentials are encrypted when they are sent to the BF console.
After login authentication, BF uses http by default for sessions. In order to implement secure sessions, you need to set up https/ssl as described in the installation guide.
See WI 20673 - the use of the secure login will be described more clearly.
2 answers
To confirm the issue:
Secure login is a separate feature from HTTPS/SSL.
Providing a keystore password during login is sufficient to activate secure login.
Providing that keystore password is also required as a first step to setting up HTTPS/SSL. There are other options that you must select during installation as well, plus a significant amount of console configuration. The process is documented.
Secure login is can be deactivated using the instructions given. It does not affect HTTPS/SSL session operation. Nor does turning off HTTPS/SSL affect secure login.
Resolved 20673: Changed title of topic "About default login security" to "Secure login" and moved it to a higher-level topic in "Security Features," out of "Enabling HTTPS and SSL." Also updated Planning, Presinstallation, and Installation Steps to more clearly refer to Secure Login vs. HTTPS/SSL.
Secure login is a separate feature from HTTPS/SSL.
Providing a keystore password during login is sufficient to activate secure login.
Providing that keystore password is also required as a first step to setting up HTTPS/SSL. There are other options that you must select during installation as well, plus a significant amount of console configuration. The process is documented.
Secure login is can be deactivated using the instructions given. It does not affect HTTPS/SSL session operation. Nor does turning off HTTPS/SSL affect secure login.
Resolved 20673: Changed title of topic "About default login security" to "Secure login" and moved it to a higher-level topic in "Security Features," out of "Enabling HTTPS and SSL." Also updated Planning, Presinstallation, and Installation Steps to more clearly refer to Secure Login vs. HTTPS/SSL.