yep since default profile is development. You can find details back on the list but basically default are dev and tools friendly. Security is only on when you are no more in profile dev.
Actually having tomee/tomee user in memory db is less dangerous than having openejb internal app deployed. Both are deactivated in not dev profile normally. Romain Manni-Bucau Twitter: @rmannibucau Blog: http://rmannibucau.wordpress.com/ LinkedIn: http://fr.linkedin.com/in/rmannibucau Github: https://github.com/rmannibucau 2014-05-12 22:06 GMT+02:00 David Blevins <[email protected]>: > So if an administrator wanted to disable all users and did so by commenting > them out from the tomcat-users.xml file, would we then add users and open > access back up? (speaking of course of our default actions) > > > -David > > On May 12, 2014, at 9:58 AM, Romain Manni-Bucau <[email protected]> wrote: > >> the point was if we don't do it by default some tools would have been >> broken by default like the webapp. >> >> BTW if you remove the memorydatabase of server.xml or if you define >> any user we don't do it (see public void start(final StandardServer >> server) in TomcatWebAppBuilder) >> >> >> Romain Manni-Bucau >> Twitter: @rmannibucau >> Blog: http://rmannibucau.wordpress.com/ >> LinkedIn: http://fr.linkedin.com/in/rmannibucau >> Github: https://github.com/rmannibucau >> >> >> 2014-05-12 18:25 GMT+02:00 Thiago Veronezi <[email protected]>: >>> Oh... I didn't know about that. I probably missed that discussion. >>> >>> imo, it looks dangerous. It means that commenting out all the credentials >>> from "tomee-users.xml" changes the default tomcat behavior one expects to >>> see. >>> >>> []s, >>> Thiago. >>> >>> >>> >>> >>> >>> >>> On Mon, May 12, 2014 at 11:16 AM, Romain Manni-Bucau >>> <[email protected]>wrote: >>> >>>> Hi >>>> >>>> since some times (think it is 1.6.0 but not sure) tomee:tomee user is >>>> added automatically by default. -Dopenejb.profile=prod to get rid of >>>> it >>>> >>>> >>>> Romain Manni-Bucau >>>> Twitter: @rmannibucau >>>> Blog: http://rmannibucau.wordpress.com/ >>>> LinkedIn: http://fr.linkedin.com/in/rmannibucau >>>> Github: https://github.com/rmannibucau >>>> >>>> >>>> 2014-05-12 16:25 GMT+02:00 Thiago Veronezi <[email protected]>: >>>>> Guys, >>>>> >>>>> Sorry for the late notice, but can you verify this? It looks like the >>>>> server completely ignores the fact that the default "tomee" credentials >>>> are >>>>> commented out in "tomcat-users.xml". >>>>> >>>>> How to test? >>>>> >>>> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/apache-tomee-1.6.0.2-plus.tar.gz >>>>> >>>> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/tomee-webaccess-1.6.0.2.war >>>>> >>>>> * Install webaccess >>>>> * try to access it with tomee/tomee. You should not be able because the >>>>> credentials are commented out. >>>>> * Now remove it completely and let the "tomcat-users" list empty. You are >>>>> again able to access it with tomee/tomee >>>>> * Now set... >>>>> >>>>> <tomcat-users> >>>>> <role rolename="tomee-admin" /> >>>>> <user username="tomee" password="tomis" roles="tomee-admin" /> >>>>> </tomcat-users> >>>>> >>>>> ... and try to access it with "tomee/tomee". It finally blocks the >>>> access. >>>>> It will only with with "tomee/tomis". >>>>> >>>>> I'm not able to check or fix this right now. Feel free to investigate it. >>>>> >>>>> []s, >>>>> Thiago. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, May 12, 2014 at 9:31 AM, David Blevins <[email protected] >>>>> wrote: >>>>> >>>>>> My +1. >>>>>> >>>>>> >>>>>> -- >>>>>> David Blevins >>>>>> http://twitter.com/dblevins >>>>>> http://www.tomitribe.com >>>>>> >>>>>> On May 6, 2014, at 2:29 PM, Andy Gumbrecht <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Everyone, >>>>>>> >>>>>>> I have rolled out the 1.6.0.2 security release for a vote. >>>>>>> >>>>>>> The *only *difference to 1.6.0.1 is an upgrade to CXF 2.6.14 to fix >>>> the >>>>>> 2014 (that's the year not the count) security issues found here: >>>>>>> http://cxf.apache.org/security-advisories.html >>>>>>> >>>>>>> SVN Tag: >>>>>>> >>>>>>> https://svn.apache.org/repos/asf/tomee/tomee/tags/tomee-1.6.0.2/ >>>>>>> >>>>>>> Maven Repo: >>>>>>> >>>>>>> >>>> https://repository.apache.org/content/repositories/orgapachetomee-1016 >>>>>>> >>>>>>> Binaries & Source: >>>>>>> >>>>>>> >>>> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/ >>>>>>> >>>>>>> The vote will be open for 72 hours or as needed. >>>>>>> >>>>>>> Thanks for your time, >>>>>>> >>>>>>> Andy. >>>>>>> >>>>>>> -- >>>>>>> Andy Gumbrecht >>>>>>> >>>>>>> http://www.tomitribe.com >>>>>>> [email protected] >>>>>>> https://twitter.com/AndyGeeDe >>>>>>> >>>>>>> TomEE treibt Tomitribe! |http://tomee.apache.org >>>>>>> >>>>>> >>>>>> >>>> >
