[jira] [Commented] (TOMEE-450) TomEE configuration should be secure by default & use a profile manager for development configuration

Sat, 06 Oct 2012 12:29:04 -0700 

    [ 
https://issues.apache.org/jira/browse/TOMEE-450?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13471085#comment-13471085
 ] 

Romain Manni-Bucau commented on TOMEE-450:
------------------------------------------

To try to give some more information:
- openejb.internal.beans.security.enabled should be set to true in production 
too (system.properties or JVM system property)
- some conf/conf.d/*.properties should contain disabled=true by default
- finally ejbd servlet in tomee webapp should be secured

Note: activating all this stuff breaks a lot of dev tools (== needs to add the 
configuration to be reactivated)

IMO since the security depends on environment and we shouldn't activate it by 
default. Security generally concerns less people than development so i prefer 
to let it work for most of people and let some work for a minority.

However the idea of profile can be discussed (i already spoke of something 
close of it some months earlier but it was not justified enough to be done)

                
> TomEE configuration should be secure by default & use a profile manager for 
> development configuration
> -----------------------------------------------------------------------------------------------------
>
>                 Key: TOMEE-450
>                 URL: https://issues.apache.org/jira/browse/TOMEE-450
>             Project: TomEE
>          Issue Type: Improvement
>    Affects Versions: 1.5.0
>            Reporter: Alex the Rocker
>
> TomEE 1.5.0 default configuration is unsecure by default, at least with 
> regard to those items:
>   - it comes with predefined users tomee-admin and tomee 
>   - it includes tomee administration UI
> (there are probably more)
> A noticeable improvement for TomEE would be to deliver it "secure by default" 
> and provide a profile management tool (command line is fine) to change its 
> setup in a "developper mode" with admin users & admin UI enabled.
> IBM WebSphere has a tool called profile management tool which allows this 
> kind of setup in a few clicks (with couple of options).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to