Disabling lucee admin with cloud deployment

chapmandu · June 26, 2015, 6:21am

Hi All,

Does anyone have a solid method to set password or disable the lucee admin
during/after a production cloud deployment using a WAR file?

I’m particularly interested in AWS Elastic Beanstalk but perhaps you have
achieved the same result with another cloud provider that may translate.

Thanks in advance,
Adam

Tom_Chiverton · June 26, 2015, 8:55am

We set IP-based restrictions in the attached Apache, something like this on
conf.d/lucee-admin.conf :

<Location /lucee/>
Allow from 1.2.3.
Deny from all

<Location /lucee-server/>
Allow from 1.2.3.
Deny from all

If there is no Allow, obviously it’ll be totally disabled, though the API
objects will still work I expect.

TomOn Friday, June 26, 2015 at 7:21:01 AM UTC+1, Adam Chapman wrote:

Hi All,

Does anyone have a solid method to set password or disable the lucee admin
during/after a production cloud deployment using a WAR file?

I’m particularly interested in AWS Elastic Beanstalk but perhaps you have
achieved the same result with another cloud provider that may translate.

Thanks in advance,
Adam

Jochem_van_Dieten · June 27, 2015, 5:17pm

Does anyone have a solid method to set password or disable the lucee admin
during/after a production cloud deployment using a WAR file?

We typically do the same as Tom and Nando, i.e. handle it in the firewall
and using IP security on the webserver. When that is not enough, we modify
the build process for the war file to embed a server ID (used in the salt)
and encrypted passwords in the lucee-web.xml and the lucee-server.xml. I
suppose if you put something in the XML files that is not a valid hash you
have effectively disabled access to the administrator.

JochemOn Fri, Jun 26, 2015 at 8:21 AM, Adam Chapman wrote:

–
Jochem van Dieten
http://jochem.vandieten.net/

chapmandu · June 29, 2015, 4:39am

Thanks for the replies… Looks like I’m on the right track. Nice to have
that confirmed.On Sunday, June 28, 2015 at 3:17:23 AM UTC+10, Jochem van Dieten wrote:

On Fri, Jun 26, 2015 at 8:21 AM, Adam Chapman wrote:

Does anyone have a solid method to set password or disable the lucee
admin during/after a production cloud deployment using a WAR file?

We typically do the same as Tom and Nando, i.e. handle it in the firewall
and using IP security on the webserver. When that is not enough, we modify
the build process for the war file to embed a server ID (used in the salt)
and encrypted passwords in the lucee-web.xml and the lucee-server.xml. I
suppose if you put something in the XML files that is not a valid hash you
have effectively disabled access to the administrator.

Jochem

–
Jochem van Dieten
http://jochem.vandieten.net/