Known Issue ID | FMESERVER-13569 |
Discovered | FME Server 2019.2 |
Affects | Multiple Versions* |
Resolved | N/A |
* Verified only with FME Server 2019.2. This is a configuration issue and may affect versions as far back as FME Server 2016.
Issue
FME Server has the ability to provide unauthenticated access to workflows through the Trusted User Account. Administrators can change the default password of the Trusted User Account for any of the FME Server Web Services by manually editing the propertiesFile.properties file for each web service.
However, if the password is only changed in the propertiesFile.properties file, and it does not match that of the Trusted User Account as configured in the FME Server, then unexpected behaviour can occur:
1. Unauthenticated users may not be able to run FME Server workflows. The following message will be displayed:
HTTP Status 401 – Unauthorized The request has not been applied because it lacks valid authentication credentials for the target resource.
2. Users may be required to sign in with no username or password instead of the ability to access workflows without authenticating. This may affect any web applications, scripts, or workflows that are designed or required to have unauthenticated access.
Resolution
Documentation is updated for FME Server 2020.0 and newer to make this more clear for FME Server administrators.
There are no further product changes planned. The Trusted User Account is designed to provide unauthenticated access, and for this reason this issue is not classified as a security concern.
Note: FME Server administrators may also disable the Trusted User Account to prevent unauthenticated access. By default, this is the guest user account – this user account has very limited access to FME Server unless configured differently by an FME Server administrator. (This user account may be disabled by default in newer releases of FME Server.)
Comments
0 comments
Please sign in to leave a comment.