tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <rmannibu...@gmail.com>
Subject Re: v1.5.0 Security concern
Date Sat, 06 Oct 2012 15:23:21 GMT
hmm

kind of profile can make sense

probably something to think about for v 1.6

*Romain Manni-Bucau*
*Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
*Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/>
*LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
*Github: https://github.com/rmannibucau*




2012/10/6 Alex The Rocker <alex.m3tal@gmail.com>

> Romain:
>
> I think TomEE should be "secure by default", so commenting the default
> users sound good to me.
> For developers vs production use cases, I think it would be great to have a
> "configurator command" to swtich from "developer" vs. "production"
> configuration profiles.
> (IBM WebSphere has this feature, in Profile Management Tool)
>
> Alex.
>
>
> On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau <rmannibucau@gmail.com
> >wrote:
>
> > Hi,
> >
> > i think the question is open and i scare a debate without end on this
> > topic.
> >
> > Why i didn't comment it: because the moment where you need it the most
> > often is during the development so no issue having it.
> >
> > In production i hope it is adapted (and maybe tomcat-users.xml is not
> used
> > at all) so i thought it was not an issue.
> >
> > That's said if *everybody *thinks it should be as Tomcat commented i see
> no
> > big issue doing it
> >
> > *Romain Manni-Bucau*
> > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > *Blog: **http://rmannibucau.wordpress.com/*<
> > http://rmannibucau.wordpress.com/>
> > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > *Github: https://github.com/rmannibucau*
> >
> >
> >
> >
> > 2012/10/6 exabrial <exabrial+openejb@gmail.com>
> >
> > > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the following
> > users
> > > are defined:
> > >
> > >   <role rolename="tomee-admin"/>
> > >   <user password="tomee" roles="tomee-admin,manager-gui"
> > username="tomee"/>
> > >
> > > Wouldn't it be better to have those commented out by default?
> > >
> > >
> > >
> > > --
> > > View this message in context:
> > >
> >
> http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
> > > Sent from the OpenEJB User mailing list archive at Nabble.com.
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message