On 05/11/2010 11:27, Brooke Hedrick wrote: > Hey, > > Would it make sense to update the conf/tomcat-users.xml file to account for > the new roles?
Providing a tomcat-users.xml file that includes a default user with a known password that has access to an administrative interface would be very, very bad from a security point of view. The current 7.0.x and 6.0.x files have all the necessary information in comments within the file. Mark > > Here's my patch: > > 34a35,42 >> <role rolename="manager-gui"/> >> <role rolename="manager-script"/> >> <role rolename="manager-jmx"/> >> <role rolename="manager-status"/> >> <user username="manager" password="s3cret" > roles="manager-gui,manager-script,manager-jmx,manager-status"/> >> <role rolename="admin-gui"/> >> <role rolename="admin-script"/> >> <user username="admin" password="s3cret" > roles="admin-gui,admin-script"/> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org