The profile is good enough IMO. If we make it secure by default it will be a pain in dev (and one reason to not use it for me)
Security depends on if there is a httpd or not too...in real life it shouldnt be an issue too much, no? Le 8 oct. 2012 19:30, "Bjorn Danielsson" <[email protected]> a écrit : > Just my opinion for whatever it's worth: > > As we all know, and as Romain explains quite clearly, there > is a built-in conflict between what is most convenient for > the developer and what is most convenient for the production > people. > > I think all defaults *except* for security-impacting things > should be chosen to make life easier for developers, > not production people. But for anything security-related > I suggest that the defaults should *always* be governed by > the principle "secure out of the box". > > My reason is that there are (unfortunately) too many people out > there who have very little clues about security, or who don't > have any incentive to care about it. And as the popularity of > TomEE grows, the impact of such people deploying TomEE will > also grow. The consequences of that must be weighed against > the inconvenience of the developer's need to relax the security > settings. > > -- > Bjorn Danielsson > Cuspy Code AB > > > Romain Manni-Bucau <[email protected]> wrote: > > hmm that's not exactly what i said Alex :p > > > > on a project you generally have N (>5) developpers using the container to > > develop (let say with tomee-maven-pugin or WTP or something else...) > > > > then when it is about production you have 2-3 people configuring the > server > > then it can be deployed in cluster automatically from the config. > > > > So my statement is the config work in dev is > the prod one > > > > So IMO it should work out of the box in dev then the prod should adapt > the > > conf. That's for instance what we do about datasources: we provide some > > default datasources to let people use JPA out of the box then in > production > > you configure your real datasource, your pooling etc... > > > > Sorry if it was not clear. > > > > *Romain Manni-Bucau* > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* > > *Blog: **http://rmannibucau.wordpress.com/*< > http://rmannibucau.wordpress.com/> > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau* > > *Github: https://github.com/rmannibucau* > > > > > > > > > > 2012/10/6 Alex The Rocker <[email protected]> > > > >> Hello, > >> > >> This is to continue the discussion started in users@ list around JIRA > >> improvement item https://issues.apache.org/jira/browse/TOMEE-450 > >> > >> I'm a bit surprised by Romain's statement that TomEE is primarily used > by > >> developers : I thought that in real world there are more app servers > used > >> to deploy than to develop ; even if since TomEE is new it's not yet the > >> case. > >> > >> Any opinion? > >> > >> Alex > >> >
