tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex The Rocker <alex.m3...@gmail.com>
Subject Re: v1.5.0 Security concern
Date Sat, 06 Oct 2012 19:37:40 GMT
okay I do that

On Sat, Oct 6, 2012 at 9:29 PM, Romain Manni-Bucau <rmannibucau@gmail.com>wrote:

> added some more info + my opinion
>
> maybe the thread should be pushed to dev@ now, no?
>
> *Romain Manni-Bucau*
> *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> *Blog: **http://rmannibucau.wordpress.com/*<
> http://rmannibucau.wordpress.com/>
> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> *Github: https://github.com/rmannibucau*
>
>
>
>
> 2012/10/6 Alex The Rocker <alex.m3tal@gmail.com>
>
> > Security isn't an option.
> > JIRA improvement item created, see:
> > https://issues.apache.org/jira/browse/TOMEE-450
> >
> >
> > On Sat, Oct 6, 2012 at 5:32 PM, Romain Manni-Bucau <
> rmannibucau@gmail.com
> > >wrote:
> >
> > > i thought starting a thread on it after next release but up to you,
> jira
> > > works too
> > >
> > > *Romain Manni-Bucau*
> > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > http://rmannibucau.wordpress.com/>
> > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > *Github: https://github.com/rmannibucau*
> > >
> > >
> > >
> > >
> > > 2012/10/6 Alex The Rocker <alex.m3tal@gmail.com>
> > >
> > > > Want me to fill a JIRA for it ?
> > > > Alex
> > > >
> > > > On Sat, Oct 6, 2012 at 5:23 PM, Romain Manni-Bucau <
> > > rmannibucau@gmail.com
> > > > >wrote:
> > > >
> > > > > hmm
> > > > >
> > > > > kind of profile can make sense
> > > > >
> > > > > probably something to think about for v 1.6
> > > > >
> > > > > *Romain Manni-Bucau*
> > > > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > > > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > > > http://rmannibucau.wordpress.com/>
> > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > > > *Github: https://github.com/rmannibucau*
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > 2012/10/6 Alex The Rocker <alex.m3tal@gmail.com>
> > > > >
> > > > > > Romain:
> > > > > >
> > > > > > I think TomEE should be "secure by default", so commenting the
> > > default
> > > > > > users sound good to me.
> > > > > > For developers vs production use cases, I think it would be
great
> > to
> > > > > have a
> > > > > > "configurator command" to swtich from "developer" vs.
> "production"
> > > > > > configuration profiles.
> > > > > > (IBM WebSphere has this feature, in Profile Management Tool)
> > > > > >
> > > > > > Alex.
> > > > > >
> > > > > >
> > > > > > On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau <
> > > > > rmannibucau@gmail.com
> > > > > > >wrote:
> > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > i think the question is open and i scare a debate without
end
> on
> > > this
> > > > > > > topic.
> > > > > > >
> > > > > > > Why i didn't comment it: because the moment where you need
it
> the
> > > > most
> > > > > > > often is during the development so no issue having it.
> > > > > > >
> > > > > > > In production i hope it is adapted (and maybe tomcat-users.xml
> is
> > > not
> > > > > > used
> > > > > > > at all) so i thought it was not an issue.
> > > > > > >
> > > > > > > That's said if *everybody *thinks it should be as Tomcat
> > commented
> > > i
> > > > > see
> > > > > > no
> > > > > > > big issue doing it
> > > > > > >
> > > > > > > *Romain Manni-Bucau*
> > > > > > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > > > > > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > > > > > http://rmannibucau.wordpress.com/>
> > > > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > > > > > *Github: https://github.com/rmannibucau*
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > 2012/10/6 exabrial <exabrial+openejb@gmail.com>
> > > > > > >
> > > > > > > > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml,
the
> > > > following
> > > > > > > users
> > > > > > > > are defined:
> > > > > > > >
> > > > > > > >   <role rolename="tomee-admin"/>
> > > > > > > >   <user password="tomee" roles="tomee-admin,manager-gui"
> > > > > > > username="tomee"/>
> > > > > > > >
> > > > > > > > Wouldn't it be better to have those commented out
by default?
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > View this message in context:
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
> > > > > > > > Sent from the OpenEJB User mailing list archive at
> Nabble.com.
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message