Oh... I didn't know about that. I probably missed that discussion. imo, it looks dangerous. It means that commenting out all the credentials from "tomee-users.xml" changes the default tomcat behavior one expects to see.
[]s, Thiago. On Mon, May 12, 2014 at 11:16 AM, Romain Manni-Bucau <rmannibu...@gmail.com>wrote: > Hi > > since some times (think it is 1.6.0 but not sure) tomee:tomee user is > added automatically by default. -Dopenejb.profile=prod to get rid of > it > > > Romain Manni-Bucau > Twitter: @rmannibucau > Blog: http://rmannibucau.wordpress.com/ > LinkedIn: http://fr.linkedin.com/in/rmannibucau > Github: https://github.com/rmannibucau > > > 2014-05-12 16:25 GMT+02:00 Thiago Veronezi <thi...@veronezi.org>: > > Guys, > > > > Sorry for the late notice, but can you verify this? It looks like the > > server completely ignores the fact that the default "tomee" credentials > are > > commented out in "tomcat-users.xml". > > > > How to test? > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/apache-tomee-1.6.0.2-plus.tar.gz > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/tomee-webaccess-1.6.0.2.war > > > > * Install webaccess > > * try to access it with tomee/tomee. You should not be able because the > > credentials are commented out. > > * Now remove it completely and let the "tomcat-users" list empty. You are > > again able to access it with tomee/tomee > > * Now set... > > > > <tomcat-users> > > <role rolename="tomee-admin" /> > > <user username="tomee" password="tomis" roles="tomee-admin" /> > > </tomcat-users> > > > > ... and try to access it with "tomee/tomee". It finally blocks the > access. > > It will only with with "tomee/tomis". > > > > I'm not able to check or fix this right now. Feel free to investigate it. > > > > []s, > > Thiago. > > > > > > > > > > > > > > On Mon, May 12, 2014 at 9:31 AM, David Blevins <david.blev...@gmail.com > >wrote: > > > >> My +1. > >> > >> > >> -- > >> David Blevins > >> http://twitter.com/dblevins > >> http://www.tomitribe.com > >> > >> On May 6, 2014, at 2:29 PM, Andy Gumbrecht <agumbre...@tomitribe.com> > >> wrote: > >> > >> > Hi Everyone, > >> > > >> > I have rolled out the 1.6.0.2 security release for a vote. > >> > > >> > The *only *difference to 1.6.0.1 is an upgrade to CXF 2.6.14 to fix > the > >> 2014 (that's the year not the count) security issues found here: > >> > http://cxf.apache.org/security-advisories.html > >> > > >> > SVN Tag: > >> > > >> > https://svn.apache.org/repos/asf/tomee/tomee/tags/tomee-1.6.0.2/ > >> > > >> > Maven Repo: > >> > > >> > > https://repository.apache.org/content/repositories/orgapachetomee-1016 > >> > > >> > Binaries & Source: > >> > > >> > > https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/ > >> > > >> > The vote will be open for 72 hours or as needed. > >> > > >> > Thanks for your time, > >> > > >> > Andy. > >> > > >> > -- > >> > Andy Gumbrecht > >> > > >> > http://www.tomitribe.com > >> > agumbre...@tomitribe.com > >> > https://twitter.com/AndyGeeDe > >> > > >> > TomEE treibt Tomitribe! |http://tomee.apache.org > >> > > >> > >> >
