____________________________________
An important note regarding Security
The Web Starter Kit installs itself with default passwords for the
WEBKIT account and the DEMO user (which is the account manager). These
passwords are required by some of the demos because they are "hardcoded"
in some of the config files or web pages. You should thus consider these
passwords as public knowledge! Depending on the network services (e.g.
nsvt, telnet, ftp, odbc, samba) that your HP 3000 is running, the
DEMO.WEBKIT account can be considered a more or less "open door" to your
system (even if it does not have any special capabilities beyond PH for
process handling). Because of this, you might want to consider changing
those passwords when you have finished exploring the Web Starter Kit
demos. This will break some of the demos, especially those using JDBC or
Telnet to access server-side data or programs, but would leave at least
the web pages accessible. If you prefer to be very careful, you can also
stop the Apache and JServ jobs. Always keep in mind that this Web
Starter Kit is intended to be used on an internal Intranet, not the
public Internet (unless your 3000 is security-insensitive).
____________________________________________________________
Here is a list of files that contain "hardcoded" logon info:
diffs/zone.properties:
+ servlet.music.initArgs=dbUser=demo.webkit,dbPass=not\,secret
htdocs/LiveDemo/JdbcApplet.html:
htdocs/LiveDemo/JdbcApplet.html:
htdocs/LiveDemo/QueryPage.html:
htdocs/LiveDemo/TransactPage1.html:
helloCmd="hello applet,demo.webkit"
htdocs/LiveDemo/TransactPage2.html:
htdocs/LiveDemo/TransactPage3.html:
htdocs/LiveDemo/TransactPage3.html:
helloCmd="hello applet,demo.webkit"
htdocs/LiveDemo/TransactPage4.html:
htdocs/LiveDemo/jar/JdbcApplet.html:
htdocs/LiveDemo/jar/JdbcApplet.html:
htdocs/LiveDemo/jar/QueryPage.html:
htdocs/WebKit/snippets.html:
D:\>net use X: \\my3000\demo.webkit
htdocs/WebKit/snippets.html:
:java JdbcProgram jdbc:allbase://localhost/musicdbe demo.webkit not,secret
htdocs/WebKit/snippets.html:
D:\>java JdbcProgram jdbc:allbase://my3000/musicdbe demo.webkit not,secret
htdocs/WebKit/snippets.html:
D:\>java QueryClient my3000 demo/not.webkit/secret
htdocs/WebKit/snippets.html:
D:\>java TransactClient my3000 demo.webkit
lib/httpd.job:
!job httpd,demo.webkit ;pri=cs
lib/httpd.stop:
!job httpd,demo.webkit ;pri=cs
lib/jserv.job:
!job jserv,demo.webkit ;pri=cs
lib/jserv.stop:
!job jserv,demo.webkit ;pri=cs
proglets/CmdFile1.props:
logonCommand=hello proglet,demo/not.webkit/secret
proglets/CmdFile2.props:
logonCommand=hello proglet,demo/not.webkit/secret
proglets/PasXL1.props:
logonCommand=hello proglet,demo/not.webkit/secret
proglets/TranXL1.props:
logonCommand=hello proglet,demo/not.webkit/secret
proglets/TranXL2.props:
logonCommand=hello proglet,demo/not.webkit/secret
programs/JdbcProgram.java:
(args.length > 1) ? args[1] : "demo.webkit";
programs/QueryClient.java:
(args.length > 1) ? args[1] : "java,demo/not.webkit/secret";
servlets/Music.java:
static final String dbUser0 = "demo.webkit";
servlets/Music.java:
static final String dbPass0 = "open,secret";
Notice that some of the above files only contain user/account logon
information (but no passwords) whereas other files (also) contain
passwords. In some cases, the hardcoded values are just default values
that can be overridden by config files, param tags in web pages or
user input from command line arguments or as reponse to popup dialog
boxes.
This list is not only meant to show you the places where passwords
are "hidden", but it can also be hepful when installing some or all
of the demos in a different account or make them access a different
database or user.