Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to disable login #37

Open
nathanweeks opened this issue Feb 3, 2022 · 4 comments
Open

Option to disable login #37

nathanweeks opened this issue Feb 3, 2022 · 4 comments

Comments

@nathanweeks
Copy link

It would be helpful to have a configuration option to disable logins (e.g., to meet site security requirements).
@GuilhemSempere
Copy link
Collaborator

Could you explain a bit more your idea?

@nathanweeks
Copy link
Author

Perhaps an environment variable (e.g., GIGWA_DISABLE_LOGIN) that when set (e.g., for the tomcat service defined in the docker-compose.yml file), removes the ability to login? A public-facing Gigwa instance that is behind a reverse proxy (probably the typical setup) could be taken "offline" for database updates by, e.g.,:

  1. Disable reverse proxying to Gigwa
  2. Restart the tomcat service without the GIGWA_DISABLE_LOGIN environment variable
  3. Make the updates
  4. Restart the tomcat service with GIGWA_DISABLE_LOGIN=1
  5. Re-enable the reverse proxy

This would allow a public-facing Gigwa instance to be less vulnerable to hacking attempts, meet organization security policy requirements, etc.

@GuilhemSempere
Copy link
Collaborator

My understanding is that you're talking about cases where all DBs would be public and no-one except the administrator would need to log into the system, correct? If you're referring to adding an Apache layer on top of Tomcat, I would rather avoid adding weight and complexity to the Docker image. I'm sure disabling the authentication system could be achieved by commenting out or amending a couple of lines in applicationContext-security.xml

@nathanweeks
Copy link
Author

Thanks! I'm referring to the scenario where the tomcat container is behind an existing external reverse proxy / load balancer (that also handles TLS termination, etc.) that is not specified in the docker-compose.yml.

If commenting-out lines in applicationContext-security.xml prevented user login, that would be the most-important first step towards a workable solution. Ultimately, it would be preferable to disable the login page completely (and remove the "Log-in" button from the navbar) to be more convincing for organization security personnel that the site is in compliance with such security policies--- and to avoid attracting hackers to even a non-functional login page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nathanweeks @GuilhemSempere