https://issues.apache.org/bugzilla/show_bug.cgi?id=56606
--- Comment #2 from Konstantin Kolinko <knst.koli...@gmail.com> --- For a record: There are several components that read tomcat-users.xml. org.apache.catalina.users.MemoryUserDatabase (-> .open() -> o.a.c.users.MemoryUserCreationFactory) prefers "username". org.apache.catalina.realm.MemoryRealm (-> .startInternal() -> o.a.c.realm.MemoryRuleSet) org.apache.catalina.realm.JAASMemoryLoginModule (-> .load() -> o.a.c.realm.MemoryRuleSet) prefer "name". I agree that "username" is the preferred name, as MemoryUserDatabase.save() (-> MemoryUser.toXml()) uses it when saving the file. The other implementations are not able to write the file. (In reply to Sandro Martini from comment #0) > > Last (using the same installation procedure, using the exe), if I don't set > a password for the admin, the line in the tomcat-users.xml won't be generated > Enabling an administrative user shall be a conscious decision. It is also recommended to configure a RemoteAddrValve on the manager application. There exists malware that targets installations that have users named "manager" with absent (or weak) passwords. 1. Search for CVE-2009-3548 2. http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Securing_Management_Applications -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
