Avoid having setup-specific auth-excludes after install
Description
Authentication exclusions (for org.jivesoftware.admin.AuthCheckFilter#testURLPassesExclude) are partly hardcoded. Some of these auth-exclusions are hardcoded for the benefit of the Openfire setup process (in which an end-user is guided through a web-based wizard).
When Openfire has been set up, these auth-exclusions (and possibly other setup-specific state) is no longer needed, and should be removed. Ensure that AuthCheckFilter has 'setup' related excludes only when Openfire is being set up.
It should be noted that it is possibly to re-start Openfire setup (by toggling the value of the <setup> element in the openfire.xml configuration file). It must remain possible to re-start setup. Any state that is removed after setup should therefor be re-added in that scenario (or altnernatively: that state shouldn't be present initially at all, unless setup is started.
Authentication exclusions (for
org.jivesoftware.admin.AuthCheckFilter#testURLPassesExclude) are partly hardcoded. Some of these auth-exclusions are hardcoded for the benefit of the Openfire setup process (in which an end-user is guided through a web-based wizard).When Openfire has been set up, these auth-exclusions (and possibly other setup-specific state) is no longer needed, and should be removed. Ensure that AuthCheckFilter has 'setup' related excludes only when Openfire is being set up.
It should be noted that it is possibly to re-start Openfire setup (by toggling the value of the
<setup>element in theopenfire.xmlconfiguration file). It must remain possible to re-start setup. Any state that is removed after setup should therefor be re-added in that scenario (or altnernatively: that state shouldn't be present initially at all, unless setup is started.This change should go in branches
main,4.7and4.6of the private temporary fork of Openfire that is used to address this vulnerability.