Guys, Sorry for the late notice, but can you verify this? It looks like the server completely ignores the fact that the default "tomee" credentials are commented out in "tomcat-users.xml".
How to test? https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/apache-tomee-1.6.0.2-plus.tar.gz https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/tomee-webaccess-1.6.0.2.war * Install webaccess * try to access it with tomee/tomee. You should not be able because the credentials are commented out. * Now remove it completely and let the "tomcat-users" list empty. You are again able to access it with tomee/tomee * Now set... <tomcat-users> <role rolename="tomee-admin" /> <user username="tomee" password="tomis" roles="tomee-admin" /> </tomcat-users> ... and try to access it with "tomee/tomee". It finally blocks the access. It will only with with "tomee/tomis". I'm not able to check or fix this right now. Feel free to investigate it. []s, Thiago. On Mon, May 12, 2014 at 9:31 AM, David Blevins <[email protected]>wrote: > My +1. > > > -- > David Blevins > http://twitter.com/dblevins > http://www.tomitribe.com > > On May 6, 2014, at 2:29 PM, Andy Gumbrecht <[email protected]> > wrote: > > > Hi Everyone, > > > > I have rolled out the 1.6.0.2 security release for a vote. > > > > The *only *difference to 1.6.0.1 is an upgrade to CXF 2.6.14 to fix the > 2014 (that's the year not the count) security issues found here: > > http://cxf.apache.org/security-advisories.html > > > > SVN Tag: > > > > https://svn.apache.org/repos/asf/tomee/tomee/tags/tomee-1.6.0.2/ > > > > Maven Repo: > > > > https://repository.apache.org/content/repositories/orgapachetomee-1016 > > > > Binaries & Source: > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/ > > > > The vote will be open for 72 hours or as needed. > > > > Thanks for your time, > > > > Andy. > > > > -- > > Andy Gumbrecht > > > > http://www.tomitribe.com > > [email protected] > > https://twitter.com/AndyGeeDe > > > > TomEE treibt Tomitribe! |http://tomee.apache.org > > > >
