kkolinko commented on pull request #412: URL: https://github.com/apache/tomcat/pull/412#issuecomment-817630063
> <user username="admin" password="<must-be-changed>" roles="manager-gui,manager-jmx"/> -1 for the above line. The "manager-jmx" role is not intended to be used by human users: it does not have CSRF protection. See https://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html#Configuring_Manager_Application_Access > <role rolename="manager-gui"/> etc. There rarely is a need to explicitly create roles like the above. When parsing the tomcat-users.xml file, all roles mentioned in users are created automatically. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org