On 05/03/2016 17:08, Christopher Schultz wrote: >> First of all we could add the remote address valve and limit access to >> localhost by default. That will limit some remote attacks but possibly >> not all depending on reverse proxy configurations > > I was thinking about this as well. It would definitely make a stock > Tomcat more secure. > >> I'd also be in favour of hard-coding a check into the MemoryRealm and >> the MemoryUserDatabase that rejects [1] any of those three users if they >> have the default password and anything other than the roles defined in >> the comments. > > Why not ignore the roles and just refuse to use "tomcat" as passwords? > Then, of course, we'll have millions of servers running with "tomcat1" > as the password. :(
Indeed. Having thought about this some more, I'm going off this idea. I still quite like my original idea which was: "Fire the idiot that did this." > If we completely remove the "password" attribute, I believe the code > will currently reject all logins. That would force admins to make-up > their own, since there would be no default. That is my reading of the code as well but we should double check that is what actually happens. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org