The Control Center includes the security aspects described in the following list.
Authentication
Each user is assigned a username and a password that is used to authenticate the user during login. No format or restriction is placed on the password, except that the password must be a non-empty string.
If an end user forgets the password, an administrator must reset the password to some known value. Retrieval of the password is not possible.
Brute-force password attacks
The Control Center defends itself against brute-force password attacks by using the authentication mechanism to keep track of login failures for each user. If any user has 10 consecutive failed logins, the user is placed in a “penalty box,” during which time the user cannot log in, even with the correct password. The user is automatically released from the lock after a short period of time. An administrator can release the lock ahead of schedule, if needed.
The Control Center is designed to run with 128-bit SSL encryption. This level of encryption provides security against eavesdroppers.
Session expiration
If a logged-in user is dormant for longer than a configurable period of time, the user is prompted to re-enter the username and password to ensure that the same person is returning to the client machine. The default session expiration is 120 minutes.
A default security certificate is provided for the Control Center. This security certificate will expire after six months. To update this certificate or to install a new certificate see Sun ONE Application Server 7 Administrator's Guide to Security.