the point was if we don't do it by default some tools would have been broken by default like the webapp.
BTW if you remove the memorydatabase of server.xml or if you define any user we don't do it (see public void start(final StandardServer server) in TomcatWebAppBuilder) Romain Manni-Bucau Twitter: @rmannibucau Blog: http://rmannibucau.wordpress.com/ LinkedIn: http://fr.linkedin.com/in/rmannibucau Github: https://github.com/rmannibucau 2014-05-12 18:25 GMT+02:00 Thiago Veronezi <[email protected]>: > Oh... I didn't know about that. I probably missed that discussion. > > imo, it looks dangerous. It means that commenting out all the credentials > from "tomee-users.xml" changes the default tomcat behavior one expects to > see. > > []s, > Thiago. > > > > > > > On Mon, May 12, 2014 at 11:16 AM, Romain Manni-Bucau > <[email protected]>wrote: > >> Hi >> >> since some times (think it is 1.6.0 but not sure) tomee:tomee user is >> added automatically by default. -Dopenejb.profile=prod to get rid of >> it >> >> >> Romain Manni-Bucau >> Twitter: @rmannibucau >> Blog: http://rmannibucau.wordpress.com/ >> LinkedIn: http://fr.linkedin.com/in/rmannibucau >> Github: https://github.com/rmannibucau >> >> >> 2014-05-12 16:25 GMT+02:00 Thiago Veronezi <[email protected]>: >> > Guys, >> > >> > Sorry for the late notice, but can you verify this? It looks like the >> > server completely ignores the fact that the default "tomee" credentials >> are >> > commented out in "tomcat-users.xml". >> > >> > How to test? >> > >> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/apache-tomee-1.6.0.2-plus.tar.gz >> > >> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/tomee-webaccess-1.6.0.2.war >> > >> > * Install webaccess >> > * try to access it with tomee/tomee. You should not be able because the >> > credentials are commented out. >> > * Now remove it completely and let the "tomcat-users" list empty. You are >> > again able to access it with tomee/tomee >> > * Now set... >> > >> > <tomcat-users> >> > <role rolename="tomee-admin" /> >> > <user username="tomee" password="tomis" roles="tomee-admin" /> >> > </tomcat-users> >> > >> > ... and try to access it with "tomee/tomee". It finally blocks the >> access. >> > It will only with with "tomee/tomis". >> > >> > I'm not able to check or fix this right now. Feel free to investigate it. >> > >> > []s, >> > Thiago. >> > >> > >> > >> > >> > >> > >> > On Mon, May 12, 2014 at 9:31 AM, David Blevins <[email protected] >> >wrote: >> > >> >> My +1. >> >> >> >> >> >> -- >> >> David Blevins >> >> http://twitter.com/dblevins >> >> http://www.tomitribe.com >> >> >> >> On May 6, 2014, at 2:29 PM, Andy Gumbrecht <[email protected]> >> >> wrote: >> >> >> >> > Hi Everyone, >> >> > >> >> > I have rolled out the 1.6.0.2 security release for a vote. >> >> > >> >> > The *only *difference to 1.6.0.1 is an upgrade to CXF 2.6.14 to fix >> the >> >> 2014 (that's the year not the count) security issues found here: >> >> > http://cxf.apache.org/security-advisories.html >> >> > >> >> > SVN Tag: >> >> > >> >> > https://svn.apache.org/repos/asf/tomee/tomee/tags/tomee-1.6.0.2/ >> >> > >> >> > Maven Repo: >> >> > >> >> > >> https://repository.apache.org/content/repositories/orgapachetomee-1016 >> >> > >> >> > Binaries & Source: >> >> > >> >> > >> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/ >> >> > >> >> > The vote will be open for 72 hours or as needed. >> >> > >> >> > Thanks for your time, >> >> > >> >> > Andy. >> >> > >> >> > -- >> >> > Andy Gumbrecht >> >> > >> >> > http://www.tomitribe.com >> >> > [email protected] >> >> > https://twitter.com/AndyGeeDe >> >> > >> >> > TomEE treibt Tomitribe! |http://tomee.apache.org >> >> > >> >> >> >> >>
