2016-03-07 17:52 GMT+01:00 Mark Thomas <ma...@apache.org>: > On 05/03/2016 18:36, Mark Thomas wrote: > > On 05/03/2016 17:08, Christopher Schultz wrote: > > > >>> First of all we could add the remote address valve and limit access to > >>> localhost by default. That will limit some remote attacks but possibly > >>> not all depending on reverse proxy configurations > >> > >> I was thinking about this as well. It would definitely make a stock > >> Tomcat more secure. > >> > >>> I'd also be in favour of hard-coding a check into the MemoryRealm and > >>> the MemoryUserDatabase that rejects [1] any of those three users if > they > >>> have the default password and anything other than the roles defined in > >>> the comments. > >> > >> Why not ignore the roles and just refuse to use "tomcat" as passwords? > >> Then, of course, we'll have millions of servers running with "tomcat1" > >> as the password. :( > > > > Indeed. Having thought about this some more, I'm going off this idea. > > > > I still quite like my original idea which was: > > "Fire the idiot that did this." > > > >> If we completely remove the "password" attribute, I believe the code > >> will currently reject all logins. That would force admins to make-up > >> their own, since there would be no default. > > > > That is my reading of the code as well but we should double check that > > is what actually happens. > > I started to work on this. If we remove the password attribute entirely > we'll need to add something to the file that explains how to add it > back. That probably needs an example which brings us right back to the > copy/paste problem. > > I think I have a better idea. If we change it to something that will > break if simply uncommented then that solves the problem without making > it too much harder for inexperienced users. Something like: > > password="<change-this-to-something-secure>" > > Now they could just edit this to remove '<' and '>' but at that point > they really do deserve to be fired. >
Great trick actually. > > The comments above could also make clear that the passwords need to be > set if that block is uncommented. > > WDYT? > > Rémy