In TomcatWebAppBuilder (pointer in my first answer) See http://mail-archives.apache.org/mod_mbox/openejb-commits/201210.mbox/%[email protected]%3Eand all is detailed here https://issues.apache.org/jira/plugins/servlet/mobile#issue/TOMEE-450 Le 13 mai 2014 02:14, "David Blevins" <[email protected]> a écrit :
> I don't recall discussing adding users outside of those configured in the > tomee-users.xml. Where in code do we do this? > > > -David > > On May 12, 2014, at 1:15 PM, Romain Manni-Bucau <[email protected]> > wrote: > > > yep since default profile is development. You can find details back on > > the list but basically default are dev and tools friendly. Security is > > only on when you are no more in profile dev. > > > > Actually having tomee/tomee user in memory db is less dangerous than > > having openejb internal app deployed. Both are deactivated in not dev > > profile normally. > > > > > > Romain Manni-Bucau > > Twitter: @rmannibucau > > Blog: http://rmannibucau.wordpress.com/ > > LinkedIn: http://fr.linkedin.com/in/rmannibucau > > Github: https://github.com/rmannibucau > > > > > > 2014-05-12 22:06 GMT+02:00 David Blevins <[email protected]>: > >> So if an administrator wanted to disable all users and did so by > commenting them out from the tomcat-users.xml file, would we then add users > and open access back up? (speaking of course of our default actions) > >> > >> > >> -David > >> > >> On May 12, 2014, at 9:58 AM, Romain Manni-Bucau <[email protected]> > wrote: > >> > >>> the point was if we don't do it by default some tools would have been > >>> broken by default like the webapp. > >>> > >>> BTW if you remove the memorydatabase of server.xml or if you define > >>> any user we don't do it (see public void start(final StandardServer > >>> server) in TomcatWebAppBuilder) > >>> > >>> > >>> Romain Manni-Bucau > >>> Twitter: @rmannibucau > >>> Blog: http://rmannibucau.wordpress.com/ > >>> LinkedIn: http://fr.linkedin.com/in/rmannibucau > >>> Github: https://github.com/rmannibucau > >>> > >>> > >>> 2014-05-12 18:25 GMT+02:00 Thiago Veronezi <[email protected]>: > >>>> Oh... I didn't know about that. I probably missed that discussion. > >>>> > >>>> imo, it looks dangerous. It means that commenting out all the > credentials > >>>> from "tomee-users.xml" changes the default tomcat behavior one > expects to > >>>> see. > >>>> > >>>> []s, > >>>> Thiago. > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> On Mon, May 12, 2014 at 11:16 AM, Romain Manni-Bucau > >>>> <[email protected]>wrote: > >>>> > >>>>> Hi > >>>>> > >>>>> since some times (think it is 1.6.0 but not sure) tomee:tomee user is > >>>>> added automatically by default. -Dopenejb.profile=prod to get rid of > >>>>> it > >>>>> > >>>>> > >>>>> Romain Manni-Bucau > >>>>> Twitter: @rmannibucau > >>>>> Blog: http://rmannibucau.wordpress.com/ > >>>>> LinkedIn: http://fr.linkedin.com/in/rmannibucau > >>>>> Github: https://github.com/rmannibucau > >>>>> > >>>>> > >>>>> 2014-05-12 16:25 GMT+02:00 Thiago Veronezi <[email protected]>: > >>>>>> Guys, > >>>>>> > >>>>>> Sorry for the late notice, but can you verify this? It looks like > the > >>>>>> server completely ignores the fact that the default "tomee" > credentials > >>>>> are > >>>>>> commented out in "tomcat-users.xml". > >>>>>> > >>>>>> How to test? > >>>>>> > >>>>> > https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/apache-tomee-1.6.0.2-plus.tar.gz > >>>>>> > >>>>> > https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/tomee-webaccess-1.6.0.2.war > >>>>>> > >>>>>> * Install webaccess > >>>>>> * try to access it with tomee/tomee. You should not be able because > the > >>>>>> credentials are commented out. > >>>>>> * Now remove it completely and let the "tomcat-users" list empty. > You are > >>>>>> again able to access it with tomee/tomee > >>>>>> * Now set... > >>>>>> > >>>>>> <tomcat-users> > >>>>>> <role rolename="tomee-admin" /> > >>>>>> <user username="tomee" password="tomis" roles="tomee-admin" /> > >>>>>> </tomcat-users> > >>>>>> > >>>>>> ... and try to access it with "tomee/tomee". It finally blocks the > >>>>> access. > >>>>>> It will only with with "tomee/tomis". > >>>>>> > >>>>>> I'm not able to check or fix this right now. Feel free to > investigate it. > >>>>>> > >>>>>> []s, > >>>>>> Thiago. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Mon, May 12, 2014 at 9:31 AM, David Blevins < > [email protected] > >>>>>> wrote: > >>>>>> > >>>>>>> My +1. > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> David Blevins > >>>>>>> http://twitter.com/dblevins > >>>>>>> http://www.tomitribe.com > >>>>>>> > >>>>>>> On May 6, 2014, at 2:29 PM, Andy Gumbrecht < > [email protected]> > >>>>>>> wrote: > >>>>>>> > >>>>>>>> Hi Everyone, > >>>>>>>> > >>>>>>>> I have rolled out the 1.6.0.2 security release for a vote. > >>>>>>>> > >>>>>>>> The *only *difference to 1.6.0.1 is an upgrade to CXF 2.6.14 to > fix > >>>>> the > >>>>>>> 2014 (that's the year not the count) security issues found here: > >>>>>>>> http://cxf.apache.org/security-advisories.html > >>>>>>>> > >>>>>>>> SVN Tag: > >>>>>>>> > >>>>>>>> https://svn.apache.org/repos/asf/tomee/tomee/tags/tomee-1.6.0.2/ > >>>>>>>> > >>>>>>>> Maven Repo: > >>>>>>>> > >>>>>>>> > >>>>> > https://repository.apache.org/content/repositories/orgapachetomee-1016 > >>>>>>>> > >>>>>>>> Binaries & Source: > >>>>>>>> > >>>>>>>> > >>>>> > https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/ > >>>>>>>> > >>>>>>>> The vote will be open for 72 hours or as needed. > >>>>>>>> > >>>>>>>> Thanks for your time, > >>>>>>>> > >>>>>>>> Andy. > >>>>>>>> > >>>>>>>> -- > >>>>>>>> Andy Gumbrecht > >>>>>>>> > >>>>>>>> http://www.tomitribe.com > >>>>>>>> [email protected] > >>>>>>>> https://twitter.com/AndyGeeDe > >>>>>>>> > >>>>>>>> TomEE treibt Tomitribe! |http://tomee.apache.org > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>> > >> > >
