Please read "tomcat-users.xml" where I write "tomee-users.xml".
On Mon, May 12, 2014 at 12:25 PM, Thiago Veronezi <[email protected]>wrote: > > Oh... I didn't know about that. I probably missed that discussion. > > imo, it looks dangerous. It means that commenting out all the credentials > from "tomee-users.xml" changes the default tomcat behavior one expects to > see. > > []s, > Thiago. > > > > > > > On Mon, May 12, 2014 at 11:16 AM, Romain Manni-Bucau < > [email protected]> wrote: > >> Hi >> >> since some times (think it is 1.6.0 but not sure) tomee:tomee user is >> added automatically by default. -Dopenejb.profile=prod to get rid of >> it >> >> >> Romain Manni-Bucau >> Twitter: @rmannibucau >> Blog: http://rmannibucau.wordpress.com/ >> LinkedIn: http://fr.linkedin.com/in/rmannibucau >> Github: https://github.com/rmannibucau >> >> >> 2014-05-12 16:25 GMT+02:00 Thiago Veronezi <[email protected]>: >> > Guys, >> > >> > Sorry for the late notice, but can you verify this? It looks like the >> > server completely ignores the fact that the default "tomee" credentials >> are >> > commented out in "tomcat-users.xml". >> > >> > How to test? >> > >> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/apache-tomee-1.6.0.2-plus.tar.gz >> > >> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/tomee-webaccess-1.6.0.2.war >> > >> > * Install webaccess >> > * try to access it with tomee/tomee. You should not be able because the >> > credentials are commented out. >> > * Now remove it completely and let the "tomcat-users" list empty. You >> are >> > again able to access it with tomee/tomee >> > * Now set... >> > >> > <tomcat-users> >> > <role rolename="tomee-admin" /> >> > <user username="tomee" password="tomis" roles="tomee-admin" /> >> > </tomcat-users> >> > >> > ... and try to access it with "tomee/tomee". It finally blocks the >> access. >> > It will only with with "tomee/tomis". >> > >> > I'm not able to check or fix this right now. Feel free to investigate >> it. >> > >> > []s, >> > Thiago. >> > >> > >> > >> > >> > >> > >> > On Mon, May 12, 2014 at 9:31 AM, David Blevins <[email protected] >> >wrote: >> > >> >> My +1. >> >> >> >> >> >> -- >> >> David Blevins >> >> http://twitter.com/dblevins >> >> http://www.tomitribe.com >> >> >> >> On May 6, 2014, at 2:29 PM, Andy Gumbrecht <[email protected]> >> >> wrote: >> >> >> >> > Hi Everyone, >> >> > >> >> > I have rolled out the 1.6.0.2 security release for a vote. >> >> > >> >> > The *only *difference to 1.6.0.1 is an upgrade to CXF 2.6.14 to fix >> the >> >> 2014 (that's the year not the count) security issues found here: >> >> > http://cxf.apache.org/security-advisories.html >> >> > >> >> > SVN Tag: >> >> > >> >> > https://svn.apache.org/repos/asf/tomee/tomee/tags/tomee-1.6.0.2/ >> >> > >> >> > Maven Repo: >> >> > >> >> > >> https://repository.apache.org/content/repositories/orgapachetomee-1016 >> >> > >> >> > Binaries & Source: >> >> > >> >> > >> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/ >> >> > >> >> > The vote will be open for 72 hours or as needed. >> >> > >> >> > Thanks for your time, >> >> > >> >> > Andy. >> >> > >> >> > -- >> >> > Andy Gumbrecht >> >> > >> >> > http://www.tomitribe.com >> >> > [email protected] >> >> > https://twitter.com/AndyGeeDe >> >> > >> >> > TomEE treibt Tomitribe! |http://tomee.apache.org >> >> > >> >> >> >> >> > >
