tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Neale Rudd" <ne...@metawerx.net>
Subject Re: v1.5.0 Security concern
Date Sat, 06 Oct 2012 15:39:27 GMT
Hi Guys,

In any production hosted environment, this is one of the first things that 
is changed - but since people might be installing TomEE on VPS's etc... I 
personally agree that this should be commented out by default.

That said, other containers like JBoss ship with security disabled and full 
access to the admin tools available after a fresh install.

It's the choice of "be secure, and users have to learn something to access 
admin tools" or "let users access everything and make them learn something 
to secure it".  Either way has benefits.

Best Regards,
Neale




----- Original Message ----- 
From: "Romain Manni-Bucau" <rmannibucau@gmail.com>
To: <users@openejb.apache.org>
Sent: Sunday, October 07, 2012 1:32 AM
Subject: Re: v1.5.0 Security concern


>i thought starting a thread on it after next release but up to you, jira
> works too
>
> *Romain Manni-Bucau*
> *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> *Blog: 
> **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/>
> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> *Github: https://github.com/rmannibucau*
>
>
>
>
> 2012/10/6 Alex The Rocker <alex.m3tal@gmail.com>
>
>> Want me to fill a JIRA for it ?
>> Alex
>>
>> On Sat, Oct 6, 2012 at 5:23 PM, Romain Manni-Bucau <rmannibucau@gmail.com
>> >wrote:
>>
>> > hmm
>> >
>> > kind of profile can make sense
>> >
>> > probably something to think about for v 1.6
>> >
>> > *Romain Manni-Bucau*
>> > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
>> > *Blog: **http://rmannibucau.wordpress.com/*<
>> > http://rmannibucau.wordpress.com/>
>> > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
>> > *Github: https://github.com/rmannibucau*
>> >
>> >
>> >
>> >
>> > 2012/10/6 Alex The Rocker <alex.m3tal@gmail.com>
>> >
>> > > Romain:
>> > >
>> > > I think TomEE should be "secure by default", so commenting the 
>> > > default
>> > > users sound good to me.
>> > > For developers vs production use cases, I think it would be great to
>> > have a
>> > > "configurator command" to swtich from "developer" vs. "production"
>> > > configuration profiles.
>> > > (IBM WebSphere has this feature, in Profile Management Tool)
>> > >
>> > > Alex.
>> > >
>> > >
>> > > On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau <
>> > rmannibucau@gmail.com
>> > > >wrote:
>> > >
>> > > > Hi,
>> > > >
>> > > > i think the question is open and i scare a debate without end on 
>> > > > this
>> > > > topic.
>> > > >
>> > > > Why i didn't comment it: because the moment where you need it the
>> most
>> > > > often is during the development so no issue having it.
>> > > >
>> > > > In production i hope it is adapted (and maybe tomcat-users.xml is

>> > > > not
>> > > used
>> > > > at all) so i thought it was not an issue.
>> > > >
>> > > > That's said if *everybody *thinks it should be as Tomcat commented

>> > > > i
>> > see
>> > > no
>> > > > big issue doing it
>> > > >
>> > > > *Romain Manni-Bucau*
>> > > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
>> > > > *Blog: **http://rmannibucau.wordpress.com/*<
>> > > > http://rmannibucau.wordpress.com/>
>> > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
>> > > > *Github: https://github.com/rmannibucau*
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > 2012/10/6 exabrial <exabrial+openejb@gmail.com>
>> > > >
>> > > > > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the
>> following
>> > > > users
>> > > > > are defined:
>> > > > >
>> > > > >   <role rolename="tomee-admin"/>
>> > > > >   <user password="tomee" roles="tomee-admin,manager-gui"
>> > > > username="tomee"/>
>> > > > >
>> > > > > Wouldn't it be better to have those commented out by default?
>> > > > >
>> > > > >
>> > > > >
>> > > > > --
>> > > > > View this message in context:
>> > > > >
>> > > >
>> > >
>> >
>> http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
>> > > > > Sent from the OpenEJB User mailing list archive at Nabble.com.
>> > > > >
>> > > >
>> > >
>> >
>>
> 


Mime
View raw message