Build Forge includes login security by default. When a user logs in, the request is redirected to an authentication servlet. The user name and password entered is encrypted for use by the servlet. If the login is successful, the console user interface home is shown. The subsequent session communications between the client and the console may be over http (the default) or over https. Using https requires additional configuration of the system. See Enabling SSL and HTTPS.
During installation, you provide a password for the keystore that is used for encryption. You also have the option of installing a self-signed certificate.
If you have Build Forge install a self-signed certificate, users accessing the system through a security-enabled browser get warning messages about the certificate.
To prevent those warnings, distribute the certificate to users for installation in their browser. The specifics of installing the certificate vary by browser. Consult the browser documentation.
The certificate is located in <bfinstall>/keystore.
If login security is disabled, then during login user credentials are communicated to the console in unencrypted cleartext. Disabling login security does not affect the use of HTTPS/SSL by the console, if the console is configured to use it.
To disable the authentication servlet, do the following:
services_url https://hostname:8443/rbf-services
Change
the line to the following:services_url http://hostname:8080/rbf-services
<display-name>A Services Layer Bootstrap Servlet</display-name>
<servlet>
<servlet-name>ServicesBootstrap</servlet-name>
<servlet-class>com.buildforge.services.server.web.BootstrapServlet</servlet-class>
<init-param>
<param-name>port</param-name>
<param-value>3966</param-value>
</init-param>
<init-param>
<param-name>sslPort</param-name>
<param-value>49150</param-value>
</init-param>
<init-param>
<param-name>ForceHttps</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>