Define username in Web_server module

I can't login to my /private folder through the web browser and this is very frustrating. I have a password defined in server.luan like this:

Web_server.private_password = "123"

I don't know why I can't login (I get "unauthorized" and the prompt keeps coming back), but I assume it is expecting a specific username that I don't know what it is. How can I redefine the username in the configuration file?

Please send me your server.luan file.

import "Java"
import "java:com/loveoverborders/lib/Log4j"
logDir = '/Users/hugo/work/loveoverborders/webserver/logs'
Log4j.initBasicFiles(logDir .. '/info.log', logDir .. '/warn.log', logDir .. '/error.log', '1Mb')

import "com.loveoverborders.lib.Net"
import "com.loveoverborders.lib.Relay"
Net.start()
Relay.start()
Net.startRemote("test.loveoverborders.com", "aaa", "bbb")

import "fschmidt.util.mail.MailHome"
smtp = MailHome.getSmtpServer("example.com","test3@example.com","xxxxxx");
smtp.setPort(587);
MailHome.setDefaultSmtpServer(smtp);

import "web/Web_server"
local homeDir = "/Users/hugo/work/loveoverborders/webserver"

resource_handler = Web_server.add_folder("/logs", homeDir .. "/logs")
resource_handler.setDirectoriesListed(true)

Web_server.zip()
Web_server.serve("java:com/loveoverborders/web")
Web_server.private_password = "123"

Web_server.serve() should be the last thing you call in this file.  Other things just configure how the serving is done.  The problem is that I need to write documentation of this, but for now the source should be easy enough to understand.

https://code.google.com/p/luan-java/source/browse/trunk/web/src/luan/modules/web/Web_server.luan

I see the problem now. In any case you should allow the site owner to redefine the username. The way the code is right now makes it fairly easy for a bot to try millions of combinations of characters and break into the private area without being noticed. With specific usernames defined, the probability of such invasion would be much smaller.

With the hosted version, the user's password to access hosting is also used to access /private so there is no problem.  The local version will mostly be used only for development and this is what you are using now.

fschmidt wrote

With the hosted version, the user's password to access hosting is also used to access /private so there is no problem.

Including his/her user name? Or only the password?
My point is that we need specific username+password combinations in order to make guessing really difficult. If you allow any username, guessing the password is going to be a piece of cake for a bot.

Hugo <Nabble> wrote

Including his/her user name? Or only the password?
My point is that we need specific username+password combinations in order to make guessing really difficult. If you allow any username, guessing the password is going to be a piece of cake for a bot.

Only password.  I don't have a concept of a username.  Here is the hosting client code:

https://code.google.com/p/luan-java/source/browse/trunk/core/src/luan/modules/Reactionary.luan

A user who is worried about security can, instead of:

username = bob
password = secret

just do:

password = bob-secret

I don't see any difference between these.

fschmidt wrote

A user who is worried about security...

Security should be provided by default. Most users will provide weak passwords and they won't care until everything is compromised. Then they will blame the service and everything else. We can discuss this if you want.

Okay, we can discuss this.

We discussed this. A simple solution is explained here: http://luan.7479.n7.nabble.com/Force-requests-to-wait-after-multiple-failed-login-attempts-tp175.html

I am closing this thread.