on 09-19-2014 6:41 AM
Dear experts!
We've found that SPNego Wizard available directly by URL http://<hostname>:port/spnego and not restricted by password.
Everybody who has user account even without any roles and permissions, only by entering the password can access wizard page and
make any changes, for example delete reams or Keytab certificate.
Could you advice us how to close this hole?
Hello,
I suppose you are talking about SAP NetWeaver Java?
I could not reproduce your problem. If I login with a simple user I get "You do not have permission to administrate SPNEGO"
Possibly the user have additional rights (see Identity Management: Assigned Roles and Assigned Groups), or the permissions within the default groups (Authenticated Users, Everyone) where changed.
That may also be valid if a LDAP/Active Directory is attached to the UME and a LDAP group the user is a member of (e.g. AD: "Domain Users") have some admin roles assigned.
You also get logged in "automatically" if you already logged in with an administrator account in the NetWeaver Administrator (NWA) and open another NWA page (e.g. SPNego) in the same web browser. This works as designed.
Please check again.
Grüße / Kind regards,
Frank
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Frank,
I've created new user for test without any roles and profiles and even without any permissions I can manage this page, only this page is accessible for managing. For other pages like NWA, IRJ etc. authorization is requres and this is strange.
We don't use LDAP/AD database, only ABAP store so there is no any AD impact on this issue.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.