diff --git a/Global/functions.js b/Global/functions.js
index b95b947a..b77db3dc 100644
--- a/Global/functions.js
+++ b/Global/functions.js
@@ -15,6 +15,7 @@ function scheduler() {
   */
 function onStart() {
 	app.data.addressFilter = createAddressFilter();
+	app.data.addressString = root.getProperty ("allowadmin");
 }
 
 /**
@@ -75,9 +76,9 @@ function appStat ()	{
   * utility function to sort object-arrays by name
   */
 function sortByName(a,b)	{
-	if ( a.getName () > b.getName ())
+	if (a.name > b.name)
 		return 1;
-	else if (a.getName () == b.getName ())
+	else if (a.name == b.name)
 		return 0;
 	else
 		return -1;
@@ -126,7 +127,7 @@ function checkAuth(appObj)	{
 	if ( md5username==rootUsername && md5password==rootPassword )
 		return true;
 
-	if ( appObj!=null && appObj.isActive() )	{
+	if (appObj!=null && appObj.isActive())	{
 		// check against application
 		var appUsername = appObj.getProperty("adminusername");
 		var appPassword = appObj.getProperty("adminpassword");
@@ -141,6 +142,12 @@ function checkAuth(appObj)	{
   * check access to the manage-app by ip-addresses
   */
 function checkAddress()	{
+	// if allowadmin value in server.properties has changed,
+	// re-construct the addressFilter
+	if (app.data.addressString != root.getProperty ("allowadmin")){
+		app.data.addressFilter = createAddressFilter();
+		app.data.addressString = root.getProperty ("allowadmin");
+	}
 	if ( !app.data.addressFilter.matches(java.net.InetAddress.getByName(req.data.http_remotehost)) )	{
 		app.log("denied request from " + req.data.http_remotehost );
 		// forceStealth seems a bit like overkill here.
@@ -181,32 +188,21 @@ function createAuth()	{
 	}
 	var obj = new Object();
 	obj.msg = "";
-	
-	if ( req.data.username!=null && req.data.password!=null && req.data.password2!=null )	{
+	if (req.data.username!=null && req.data.password!=null)	{
 		// we have input from webform
 		if ( req.data.username=="" )
 			obj.msg += "username can't be left empty!<br>";
 		if ( req.data.password=="" )
 			obj.msg += "password can't be left empty!<br>";
-		else if ( req.data.password!=req.data.password2 )
-			obj.msg += "password and re-typed password don't match!<br>";
 		if ( obj.msg!="" )	{
 			obj.username = req.data.username;
 			res.reset();
 			renderSkin("pwdform",obj);
 			return false;
 		}
-		var f = new File(root.getHopHome().toString, "server.properties");
-		var str = f.readAll();
-		var sep = java.lang.System.getProperty("line.separator");
-		str += sep + "adminUsername=" + Packages.helma.util.MD5Encoder.encode(req.data.username) + sep;
-		str += "adminPassword=" + Packages.helma.util.MD5Encoder.encode(req.data.password) + sep;
-		f.remove();
-		f.open();
-		f.write(str);
-		f.close();
-		app.log( req.data.http_remotehost + " saved new adminUsername/adminPassword to server.properties");
-		res.redirect ( root.href("main") );
+		var str = "adminUsername=" + Packages.helma.util.MD5Encoder.encode(req.data.username) + "<br>\n";
+		str += "adminPassword=" + Packages.helma.util.MD5Encoder.encode(req.data.password) + "<br>";
+		res.write ("<pre>" + str + "</pre>");
 	
 	}	else	{
 		// no input from webform, so print it
diff --git a/Global/navig.skin b/Global/navig.skin
index f19ff3df..fecbbaf7 100644
--- a/Global/navig.skin
+++ b/Global/navig.skin
@@ -24,3 +24,7 @@
 	<li><a href="http://adele.helma.org/source/cvsweb.cgi/?cvsroot=hop">cvs</a><br/>
 	<li><a href="http://helma.org/download/">download</a><br/>
 </p>
+
+<p>
+	<li><a href="<% root.href action="makekey" %>">generate server password</a>
+</p>
\ No newline at end of file
diff --git a/Global/pwdform.skin b/Global/pwdform.skin
index 641aaa2d..20eb1a01 100644
--- a/Global/pwdform.skin
+++ b/Global/pwdform.skin
@@ -1,26 +1,21 @@
 <body bgcolor="white">
 
-<table width="500" border="0" cellspacing="1" cellpadding="5" bgcolor="#000000">
+<table width="500" border="0" cellspacing="0" cellpadding="5" bgcolor="#000000">
 <tr>
 <td width="500" align="left" valign="top" bgcolor="#ffffff">
 
 <big>Username and password for helma's manager:</big><br>
 
 <p>Please choose an username and password combination to access the
-manage application of this server. They will be appended md5-encoded
-to the server.properties file. You can change the settings manually
-by editing the server.properties file or through this webinterface
-in manage/makekey (from localhost only!).</p>
-<p>This is a stupid script and doesn't check wheter these properties
-are already set in this file. So if you've already set username and
-password you need to delete the old values manually.</p>
+manage application of this server. They will be printed md5-encoded
+in a format that you've got to copy/paste into the server.properties
+file.</p>
 
 <font color="red"><% param.msg %></font>
 <form method="post">
 <input class="formEl" name="username" size="25" value="<% param.username %>"> (username)<br>
-<input class="formEl" type="password" name="password"  size="25"> (password)<br>
-<input class="formEl" type="password" name="password2" size="25"> (password retyped)<br><br>
-<input class="formEl" type="submit" value="save to server.properties"><br>
+<input class="formEl" name="password"  size="25"> (password)<br>
+<input class="formEl" type="submit" value="md5 encode"><br>
 </form>
 
 <p><b>Warning:</b> The used http-authorization transmits username and password
diff --git a/Root/makekey.hac b/Root/makekey.hac
index 4800e2e4..edcf8857 100644
--- a/Root/makekey.hac
+++ b/Root/makekey.hac
@@ -1,10 +1,3 @@
-
-//// strictly limit access to localhost:
-//if ( req.data.http_remotehost!="localhost" && req.data.http_remotehost!="127.0.0.1" )	{
-//	app.logEvent( req.data.http_remotehost + " tried to access makekey");
-//	return;
-//}
-
 if ( checkAuth()==false )
    return;