So if an administrator wanted to disable all users and did so by commenting them out from the tomcat-users.xml file, would we then add users and open access back up? (speaking of course of our default actions)
-David On May 12, 2014, at 9:58 AM, Romain Manni-Bucau <[email protected]> wrote: > the point was if we don't do it by default some tools would have been > broken by default like the webapp. > > BTW if you remove the memorydatabase of server.xml or if you define > any user we don't do it (see public void start(final StandardServer > server) in TomcatWebAppBuilder) > > > Romain Manni-Bucau > Twitter: @rmannibucau > Blog: http://rmannibucau.wordpress.com/ > LinkedIn: http://fr.linkedin.com/in/rmannibucau > Github: https://github.com/rmannibucau > > > 2014-05-12 18:25 GMT+02:00 Thiago Veronezi <[email protected]>: >> Oh... I didn't know about that. I probably missed that discussion. >> >> imo, it looks dangerous. It means that commenting out all the credentials >> from "tomee-users.xml" changes the default tomcat behavior one expects to >> see. >> >> []s, >> Thiago. >> >> >> >> >> >> >> On Mon, May 12, 2014 at 11:16 AM, Romain Manni-Bucau >> <[email protected]>wrote: >> >>> Hi >>> >>> since some times (think it is 1.6.0 but not sure) tomee:tomee user is >>> added automatically by default. -Dopenejb.profile=prod to get rid of >>> it >>> >>> >>> Romain Manni-Bucau >>> Twitter: @rmannibucau >>> Blog: http://rmannibucau.wordpress.com/ >>> LinkedIn: http://fr.linkedin.com/in/rmannibucau >>> Github: https://github.com/rmannibucau >>> >>> >>> 2014-05-12 16:25 GMT+02:00 Thiago Veronezi <[email protected]>: >>>> Guys, >>>> >>>> Sorry for the late notice, but can you verify this? It looks like the >>>> server completely ignores the fact that the default "tomee" credentials >>> are >>>> commented out in "tomcat-users.xml". >>>> >>>> How to test? >>>> >>> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/apache-tomee-1.6.0.2-plus.tar.gz >>>> >>> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/tomee-webaccess-1.6.0.2.war >>>> >>>> * Install webaccess >>>> * try to access it with tomee/tomee. You should not be able because the >>>> credentials are commented out. >>>> * Now remove it completely and let the "tomcat-users" list empty. You are >>>> again able to access it with tomee/tomee >>>> * Now set... >>>> >>>> <tomcat-users> >>>> <role rolename="tomee-admin" /> >>>> <user username="tomee" password="tomis" roles="tomee-admin" /> >>>> </tomcat-users> >>>> >>>> ... and try to access it with "tomee/tomee". It finally blocks the >>> access. >>>> It will only with with "tomee/tomis". >>>> >>>> I'm not able to check or fix this right now. Feel free to investigate it. >>>> >>>> []s, >>>> Thiago. >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Mon, May 12, 2014 at 9:31 AM, David Blevins <[email protected] >>>> wrote: >>>> >>>>> My +1. >>>>> >>>>> >>>>> -- >>>>> David Blevins >>>>> http://twitter.com/dblevins >>>>> http://www.tomitribe.com >>>>> >>>>> On May 6, 2014, at 2:29 PM, Andy Gumbrecht <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Everyone, >>>>>> >>>>>> I have rolled out the 1.6.0.2 security release for a vote. >>>>>> >>>>>> The *only *difference to 1.6.0.1 is an upgrade to CXF 2.6.14 to fix >>> the >>>>> 2014 (that's the year not the count) security issues found here: >>>>>> http://cxf.apache.org/security-advisories.html >>>>>> >>>>>> SVN Tag: >>>>>> >>>>>> https://svn.apache.org/repos/asf/tomee/tomee/tags/tomee-1.6.0.2/ >>>>>> >>>>>> Maven Repo: >>>>>> >>>>>> >>> https://repository.apache.org/content/repositories/orgapachetomee-1016 >>>>>> >>>>>> Binaries & Source: >>>>>> >>>>>> >>> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/ >>>>>> >>>>>> The vote will be open for 72 hours or as needed. >>>>>> >>>>>> Thanks for your time, >>>>>> >>>>>> Andy. >>>>>> >>>>>> -- >>>>>> Andy Gumbrecht >>>>>> >>>>>> http://www.tomitribe.com >>>>>> [email protected] >>>>>> https://twitter.com/AndyGeeDe >>>>>> >>>>>> TomEE treibt Tomitribe! |http://tomee.apache.org >>>>>> >>>>> >>>>> >>>
