diff -r -C 4 openfire_src_3_6_0/src/java/org/jivesoftware/admin/AuthCheckFilter.java openfire_patch_3_6_0a/src/java/org/jivesoftware/admin/AuthCheckFilter.java
*** openfire_src_3_6_0/src/java/org/jivesoftware/admin/AuthCheckFilter.java 2008-08-29 06:13:22.000000000 +0200
--- openfire_patch_3_6_0a/src/java/org/jivesoftware/admin/AuthCheckFilter.java 2008-11-12 16:53:18.000000000 +0100
***************
*** 77,94 ****
String loginPage = defaultLoginPage;
if (loginPage == null) {
loginPage = request.getContextPath() + "/login.jsp";
}
! String url = request.getRequestURL().toString();
! boolean doExclude = false;
! for (String exclude : excludes) {
! if (url.indexOf(exclude) > -1) {
! doExclude = true;
! break;
! }
! }
if (!doExclude) {
WebManager manager = new WebManager();
manager.init(request, response, request.getSession(), context);
if (manager.getUser() == null) {
--- 77,90 ----
String loginPage = defaultLoginPage;
if (loginPage == null) {
loginPage = request.getContextPath() + "/login.jsp";
}
+
! String srvpath = request.getServletPath();
! boolean doExclude = XMPPServer.getInstance().isSetupMode() || excludes.contains(srvpath);
!
if (!doExclude) {
WebManager manager = new WebManager();
manager.init(request, response, request.getSession(), context);
if (manager.getUser() == null) {
diff -r -C 4 openfire_src_3_6_0/src/web/index.jsp openfire_patch_3_6_0a/src/web/index.jsp
*** openfire_src_3_6_0/src/web/index.jsp 2008-08-29 06:13:17.000000000 +0200
--- openfire_patch_3_6_0a/src/web/index.jsp 2008-11-12 16:49:22.000000000 +0100
***************
*** 53,60 ****
--- 53,68 ----
<%-- Define Administration Bean --%>
<jsp:useBean id="webManager" class="org.jivesoftware.util.WebManager" />
<% webManager.init(request, response, session, application, out); %>
+ <%-- Check if in setup mode --%>
+ <%
+ if (webManager.isSetupMode()) {
+ response.sendRedirect("setup/index.jsp");
+ return;
+ }
+ %>
+
<%! long lastRRSFecth = 0;
SyndFeed lastBlogFeed = null;
SyndFeed lastReleaseFeed = null;
String blogFeedRSS = "http:;
diff -r -C 4 openfire_src_3_6_0/src/web/WEB-INF/web.xml openfire_patch_3_6_0a/src/web/WEB-INF/web.xml
*** openfire_src_3_6_0/src/web/WEB-INF/web.xml 2008-08-29 06:13:17.000000000 +0200
--- openfire_patch_3_6_0a/src/web/WEB-INF/web.xml 2008-11-12 16:57:05.000000000 +0100
***************
*** 23,31 ****
<filter-class>org.jivesoftware.admin.AuthCheckFilter</filter-class>
<init-param>
<param-name>excludes</param-name>
<param-value>
! login.jsp,index.jsp?logout=true,setup/index.jsp,setup/setup-,.gif,.png,error-serverdown.jsp,setup/clearspace-integration-prelogin.jsp
</param-value>
</init-param>
</filter>
--- 23,31 ----
<filter-class>org.jivesoftware.admin.AuthCheckFilter</filter-class>
<init-param>
<param-name>excludes</param-name>
<param-value>
! /login.jsp
</param-value>
</init-param>
</filter>
General workaround
Workaround for Linux systems
ssh -L 9091:localhost:9091 username@yourserver.org
You can access to Admin console now via https://localhost:9091/
This should be safe.
Workaround using Apache
{{RewriteRule ^/admin/(.*) http://localhost:9090/$1 [P]}}
- Use your firewall to restrict access to admin console ports to required IP ranges only, e.g. your local network.
Workaround for Linux systems- Block admin console ports (normally 9090 and 9091) in your servers firewall.
- Use SSH to forward these ports to your local host:
ssh -L 9091:localhost:9091 username@yourserver.org
You can access to Admin console now via https://localhost:9091/
This should be safe.
Workaround using Apache