added some more info + my opinion maybe the thread should be pushed to dev@ now, no?
*Romain Manni-Bucau* *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* *Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau* *Github: https://github.com/rmannibucau* 2012/10/6 Alex The Rocker <[email protected]> > Security isn't an option. > JIRA improvement item created, see: > https://issues.apache.org/jira/browse/TOMEE-450 > > > On Sat, Oct 6, 2012 at 5:32 PM, Romain Manni-Bucau <[email protected] > >wrote: > > > i thought starting a thread on it after next release but up to you, jira > > works too > > > > *Romain Manni-Bucau* > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* > > *Blog: **http://rmannibucau.wordpress.com/*< > > http://rmannibucau.wordpress.com/> > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau* > > *Github: https://github.com/rmannibucau* > > > > > > > > > > 2012/10/6 Alex The Rocker <[email protected]> > > > > > Want me to fill a JIRA for it ? > > > Alex > > > > > > On Sat, Oct 6, 2012 at 5:23 PM, Romain Manni-Bucau < > > [email protected] > > > >wrote: > > > > > > > hmm > > > > > > > > kind of profile can make sense > > > > > > > > probably something to think about for v 1.6 > > > > > > > > *Romain Manni-Bucau* > > > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* > > > > *Blog: **http://rmannibucau.wordpress.com/*< > > > > http://rmannibucau.wordpress.com/> > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau* > > > > *Github: https://github.com/rmannibucau* > > > > > > > > > > > > > > > > > > > > 2012/10/6 Alex The Rocker <[email protected]> > > > > > > > > > Romain: > > > > > > > > > > I think TomEE should be "secure by default", so commenting the > > default > > > > > users sound good to me. > > > > > For developers vs production use cases, I think it would be great > to > > > > have a > > > > > "configurator command" to swtich from "developer" vs. "production" > > > > > configuration profiles. > > > > > (IBM WebSphere has this feature, in Profile Management Tool) > > > > > > > > > > Alex. > > > > > > > > > > > > > > > On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau < > > > > [email protected] > > > > > >wrote: > > > > > > > > > > > Hi, > > > > > > > > > > > > i think the question is open and i scare a debate without end on > > this > > > > > > topic. > > > > > > > > > > > > Why i didn't comment it: because the moment where you need it the > > > most > > > > > > often is during the development so no issue having it. > > > > > > > > > > > > In production i hope it is adapted (and maybe tomcat-users.xml is > > not > > > > > used > > > > > > at all) so i thought it was not an issue. > > > > > > > > > > > > That's said if *everybody *thinks it should be as Tomcat > commented > > i > > > > see > > > > > no > > > > > > big issue doing it > > > > > > > > > > > > *Romain Manni-Bucau* > > > > > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* > > > > > > *Blog: **http://rmannibucau.wordpress.com/*< > > > > > > http://rmannibucau.wordpress.com/> > > > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau* > > > > > > *Github: https://github.com/rmannibucau* > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 2012/10/6 exabrial <[email protected]> > > > > > > > > > > > > > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the > > > following > > > > > > users > > > > > > > are defined: > > > > > > > > > > > > > > <role rolename="tomee-admin"/> > > > > > > > <user password="tomee" roles="tomee-admin,manager-gui" > > > > > > username="tomee"/> > > > > > > > > > > > > > > Wouldn't it be better to have those commented out by default? > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > View this message in context: > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html > > > > > > > Sent from the OpenEJB User mailing list archive at Nabble.com. > > > > > > > > > > > > > > > > > > > > > > > > > > > >
