Hi since some times (think it is 1.6.0 but not sure) tomee:tomee user is added automatically by default. -Dopenejb.profile=prod to get rid of it
Romain Manni-Bucau Twitter: @rmannibucau Blog: http://rmannibucau.wordpress.com/ LinkedIn: http://fr.linkedin.com/in/rmannibucau Github: https://github.com/rmannibucau 2014-05-12 16:25 GMT+02:00 Thiago Veronezi <thi...@veronezi.org>: > Guys, > > Sorry for the late notice, but can you verify this? It looks like the > server completely ignores the fact that the default "tomee" credentials are > commented out in "tomcat-users.xml". > > How to test? > https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/apache-tomee-1.6.0.2-plus.tar.gz > https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/tomee-webaccess-1.6.0.2.war > > * Install webaccess > * try to access it with tomee/tomee. You should not be able because the > credentials are commented out. > * Now remove it completely and let the "tomcat-users" list empty. You are > again able to access it with tomee/tomee > * Now set... > > <tomcat-users> > <role rolename="tomee-admin" /> > <user username="tomee" password="tomis" roles="tomee-admin" /> > </tomcat-users> > > ... and try to access it with "tomee/tomee". It finally blocks the access. > It will only with with "tomee/tomis". > > I'm not able to check or fix this right now. Feel free to investigate it. > > []s, > Thiago. > > > > > > > On Mon, May 12, 2014 at 9:31 AM, David Blevins <david.blev...@gmail.com>wrote: > >> My +1. >> >> >> -- >> David Blevins >> http://twitter.com/dblevins >> http://www.tomitribe.com >> >> On May 6, 2014, at 2:29 PM, Andy Gumbrecht <agumbre...@tomitribe.com> >> wrote: >> >> > Hi Everyone, >> > >> > I have rolled out the 1.6.0.2 security release for a vote. >> > >> > The *only *difference to 1.6.0.1 is an upgrade to CXF 2.6.14 to fix the >> 2014 (that's the year not the count) security issues found here: >> > http://cxf.apache.org/security-advisories.html >> > >> > SVN Tag: >> > >> > https://svn.apache.org/repos/asf/tomee/tomee/tags/tomee-1.6.0.2/ >> > >> > Maven Repo: >> > >> > https://repository.apache.org/content/repositories/orgapachetomee-1016 >> > >> > Binaries & Source: >> > >> > https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/ >> > >> > The vote will be open for 72 hours or as needed. >> > >> > Thanks for your time, >> > >> > Andy. >> > >> > -- >> > Andy Gumbrecht >> > >> > http://www.tomitribe.com >> > agumbre...@tomitribe.com >> > https://twitter.com/AndyGeeDe >> > >> > TomEE treibt Tomitribe! |http://tomee.apache.org >> > >> >>