tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex The Rocker <alex.m3...@gmail.com>
Subject Re: v1.5.0 Security concern
Date Sat, 06 Oct 2012 15:19:29 GMT
Romain:

I think TomEE should be "secure by default", so commenting the default
users sound good to me.
For developers vs production use cases, I think it would be great to have a
"configurator command" to swtich from "developer" vs. "production"
configuration profiles.
(IBM WebSphere has this feature, in Profile Management Tool)

Alex.


On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau <rmannibucau@gmail.com>wrote:

> Hi,
>
> i think the question is open and i scare a debate without end on this
> topic.
>
> Why i didn't comment it: because the moment where you need it the most
> often is during the development so no issue having it.
>
> In production i hope it is adapted (and maybe tomcat-users.xml is not used
> at all) so i thought it was not an issue.
>
> That's said if *everybody *thinks it should be as Tomcat commented i see no
> big issue doing it
>
> *Romain Manni-Bucau*
> *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> *Blog: **http://rmannibucau.wordpress.com/*<
> http://rmannibucau.wordpress.com/>
> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> *Github: https://github.com/rmannibucau*
>
>
>
>
> 2012/10/6 exabrial <exabrial+openejb@gmail.com>
>
> > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the following
> users
> > are defined:
> >
> >   <role rolename="tomee-admin"/>
> >   <user password="tomee" roles="tomee-admin,manager-gui"
> username="tomee"/>
> >
> > Wouldn't it be better to have those commented out by default?
> >
> >
> >
> > --
> > View this message in context:
> >
> http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
> > Sent from the OpenEJB User mailing list archive at Nabble.com.
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message