I don't recall discussing adding users outside of those configured in the tomee-users.xml. Where in code do we do this?
-David On May 12, 2014, at 1:15 PM, Romain Manni-Bucau <rmannibu...@gmail.com> wrote: > yep since default profile is development. You can find details back on > the list but basically default are dev and tools friendly. Security is > only on when you are no more in profile dev. > > Actually having tomee/tomee user in memory db is less dangerous than > having openejb internal app deployed. Both are deactivated in not dev > profile normally. > > > Romain Manni-Bucau > Twitter: @rmannibucau > Blog: http://rmannibucau.wordpress.com/ > LinkedIn: http://fr.linkedin.com/in/rmannibucau > Github: https://github.com/rmannibucau > > > 2014-05-12 22:06 GMT+02:00 David Blevins <david.blev...@gmail.com>: >> So if an administrator wanted to disable all users and did so by commenting >> them out from the tomcat-users.xml file, would we then add users and open >> access back up? (speaking of course of our default actions) >> >> >> -David >> >> On May 12, 2014, at 9:58 AM, Romain Manni-Bucau <rmannibu...@gmail.com> >> wrote: >> >>> the point was if we don't do it by default some tools would have been >>> broken by default like the webapp. >>> >>> BTW if you remove the memorydatabase of server.xml or if you define >>> any user we don't do it (see public void start(final StandardServer >>> server) in TomcatWebAppBuilder) >>> >>> >>> Romain Manni-Bucau >>> Twitter: @rmannibucau >>> Blog: http://rmannibucau.wordpress.com/ >>> LinkedIn: http://fr.linkedin.com/in/rmannibucau >>> Github: https://github.com/rmannibucau >>> >>> >>> 2014-05-12 18:25 GMT+02:00 Thiago Veronezi <thi...@veronezi.org>: >>>> Oh... I didn't know about that. I probably missed that discussion. >>>> >>>> imo, it looks dangerous. It means that commenting out all the credentials >>>> from "tomee-users.xml" changes the default tomcat behavior one expects to >>>> see. >>>> >>>> []s, >>>> Thiago. >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Mon, May 12, 2014 at 11:16 AM, Romain Manni-Bucau >>>> <rmannibu...@gmail.com>wrote: >>>> >>>>> Hi >>>>> >>>>> since some times (think it is 1.6.0 but not sure) tomee:tomee user is >>>>> added automatically by default. -Dopenejb.profile=prod to get rid of >>>>> it >>>>> >>>>> >>>>> Romain Manni-Bucau >>>>> Twitter: @rmannibucau >>>>> Blog: http://rmannibucau.wordpress.com/ >>>>> LinkedIn: http://fr.linkedin.com/in/rmannibucau >>>>> Github: https://github.com/rmannibucau >>>>> >>>>> >>>>> 2014-05-12 16:25 GMT+02:00 Thiago Veronezi <thi...@veronezi.org>: >>>>>> Guys, >>>>>> >>>>>> Sorry for the late notice, but can you verify this? It looks like the >>>>>> server completely ignores the fact that the default "tomee" credentials >>>>> are >>>>>> commented out in "tomcat-users.xml". >>>>>> >>>>>> How to test? >>>>>> >>>>> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/apache-tomee-1.6.0.2-plus.tar.gz >>>>>> >>>>> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/tomee-webaccess-1.6.0.2.war >>>>>> >>>>>> * Install webaccess >>>>>> * try to access it with tomee/tomee. You should not be able because the >>>>>> credentials are commented out. >>>>>> * Now remove it completely and let the "tomcat-users" list empty. You are >>>>>> again able to access it with tomee/tomee >>>>>> * Now set... >>>>>> >>>>>> <tomcat-users> >>>>>> <role rolename="tomee-admin" /> >>>>>> <user username="tomee" password="tomis" roles="tomee-admin" /> >>>>>> </tomcat-users> >>>>>> >>>>>> ... and try to access it with "tomee/tomee". It finally blocks the >>>>> access. >>>>>> It will only with with "tomee/tomis". >>>>>> >>>>>> I'm not able to check or fix this right now. Feel free to investigate it. >>>>>> >>>>>> []s, >>>>>> Thiago. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, May 12, 2014 at 9:31 AM, David Blevins <david.blev...@gmail.com >>>>>> wrote: >>>>>> >>>>>>> My +1. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> David Blevins >>>>>>> http://twitter.com/dblevins >>>>>>> http://www.tomitribe.com >>>>>>> >>>>>>> On May 6, 2014, at 2:29 PM, Andy Gumbrecht <agumbre...@tomitribe.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Everyone, >>>>>>>> >>>>>>>> I have rolled out the 1.6.0.2 security release for a vote. >>>>>>>> >>>>>>>> The *only *difference to 1.6.0.1 is an upgrade to CXF 2.6.14 to fix >>>>> the >>>>>>> 2014 (that's the year not the count) security issues found here: >>>>>>>> http://cxf.apache.org/security-advisories.html >>>>>>>> >>>>>>>> SVN Tag: >>>>>>>> >>>>>>>> https://svn.apache.org/repos/asf/tomee/tomee/tags/tomee-1.6.0.2/ >>>>>>>> >>>>>>>> Maven Repo: >>>>>>>> >>>>>>>> >>>>> https://repository.apache.org/content/repositories/orgapachetomee-1016 >>>>>>>> >>>>>>>> Binaries & Source: >>>>>>>> >>>>>>>> >>>>> https://dist.apache.org/repos/dist/dev/tomee/staging-1016/tomee-1.6.0.2/ >>>>>>>> >>>>>>>> The vote will be open for 72 hours or as needed. >>>>>>>> >>>>>>>> Thanks for your time, >>>>>>>> >>>>>>>> Andy. >>>>>>>> >>>>>>>> -- >>>>>>>> Andy Gumbrecht >>>>>>>> >>>>>>>> http://www.tomitribe.com >>>>>>>> agumbre...@tomitribe.com >>>>>>>> https://twitter.com/AndyGeeDe >>>>>>>> >>>>>>>> TomEE treibt Tomitribe! |http://tomee.apache.org >>>>>>>> >>>>>>> >>>>>>> >>>>> >>