subject:"v1.5.0 Security concern"

Re: v1.5.0 Security concern

2012-10-06 Thread Alex The Rocker

okay I do that

On Sat, Oct 6, 2012 at 9:29 PM, Romain Manni-Bucau wrote:

> added some more info + my opinion
>
> maybe the thread should be pushed to dev@ now, no?
>
> *Romain Manni-Bucau*
> *Twitter: @rmannibucau *
> *Blog: **http://rmannibucau.wordpress.com/*<
> http://rmannibucau.wordpress.com/>
> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> *Github: https://github.com/rmannibucau*
>
>
>
>
> 2012/10/6 Alex The Rocker 
>
> > Security isn't an option.
> > JIRA improvement item created, see:
> > https://issues.apache.org/jira/browse/TOMEE-450
> >
> >
> > On Sat, Oct 6, 2012 at 5:32 PM, Romain Manni-Bucau <
> rmannibu...@gmail.com
> > >wrote:
> >
> > > i thought starting a thread on it after next release but up to you,
> jira
> > > works too
> > >
> > > *Romain Manni-Bucau*
> > > *Twitter: @rmannibucau *
> > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > http://rmannibucau.wordpress.com/>
> > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > *Github: https://github.com/rmannibucau*
> > >
> > >
> > >
> > >
> > > 2012/10/6 Alex The Rocker 
> > >
> > > > Want me to fill a JIRA for it ?
> > > > Alex
> > > >
> > > > On Sat, Oct 6, 2012 at 5:23 PM, Romain Manni-Bucau <
> > > rmannibu...@gmail.com
> > > > >wrote:
> > > >
> > > > > hmm
> > > > >
> > > > > kind of profile can make sense
> > > > >
> > > > > probably something to think about for v 1.6
> > > > >
> > > > > *Romain Manni-Bucau*
> > > > > *Twitter: @rmannibucau *
> > > > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > > > http://rmannibucau.wordpress.com/>
> > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > > > *Github: https://github.com/rmannibucau*
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > 2012/10/6 Alex The Rocker 
> > > > >
> > > > > > Romain:
> > > > > >
> > > > > > I think TomEE should be "secure by default", so commenting the
> > > default
> > > > > > users sound good to me.
> > > > > > For developers vs production use cases, I think it would be great
> > to
> > > > > have a
> > > > > > "configurator command" to swtich from "developer" vs.
> "production"
> > > > > > configuration profiles.
> > > > > > (IBM WebSphere has this feature, in Profile Management Tool)
> > > > > >
> > > > > > Alex.
> > > > > >
> > > > > >
> > > > > > On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau <
> > > > > rmannibu...@gmail.com
> > > > > > >wrote:
> > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > i think the question is open and i scare a debate without end
> on
> > > this
> > > > > > > topic.
> > > > > > >
> > > > > > > Why i didn't comment it: because the moment where you need it
> the
> > > > most
> > > > > > > often is during the development so no issue having it.
> > > > > > >
> > > > > > > In production i hope it is adapted (and maybe tomcat-users.xml
> is
> > > not
> > > > > > used
> > > > > > > at all) so i thought it was not an issue.
> > > > > > >
> > > > > > > That's said if *everybody *thinks it should be as Tomcat
> > commented
> > > i
> > > > > see
> > > > > > no
> > > > > > > big issue doing it
> > > > > > >
> > > > > > > *Romain Manni-Bucau*
> > > > > > > *Twitter: @rmannibucau *
> > > > > > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > > > > > http://rmannibucau.wordpress.com/>
> > > > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > > > > > *Github: https://github.com/rmannibucau*
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > 2012/10/6 exabrial 
> > > > > > >
> > > > > > > > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the
> > > > following
> > > > > > > users
> > > > > > > > are defined:
> > > > > > > >
> > > > > > > >   
> > > > > > > >> > > > > > username="tomee"/>
> > > > > > > >
> > > > > > > > Wouldn't it be better to have those commented out by default?
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > View this message in context:
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
> > > > > > > > Sent from the OpenEJB User mailing list archive at
> Nabble.com.
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: v1.5.0 Security concern

2012-10-06 Thread Romain Manni-Bucau

added some more info + my opinion

maybe the thread should be pushed to dev@ now, no?

*Romain Manni-Bucau*
*Twitter: @rmannibucau *
*Blog: **http://rmannibucau.wordpress.com/*
*LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
*Github: https://github.com/rmannibucau*




2012/10/6 Alex The Rocker 

> Security isn't an option.
> JIRA improvement item created, see:
> https://issues.apache.org/jira/browse/TOMEE-450
>
>
> On Sat, Oct 6, 2012 at 5:32 PM, Romain Manni-Bucau  >wrote:
>
> > i thought starting a thread on it after next release but up to you, jira
> > works too
> >
> > *Romain Manni-Bucau*
> > *Twitter: @rmannibucau *
> > *Blog: **http://rmannibucau.wordpress.com/*<
> > http://rmannibucau.wordpress.com/>
> > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > *Github: https://github.com/rmannibucau*
> >
> >
> >
> >
> > 2012/10/6 Alex The Rocker 
> >
> > > Want me to fill a JIRA for it ?
> > > Alex
> > >
> > > On Sat, Oct 6, 2012 at 5:23 PM, Romain Manni-Bucau <
> > rmannibu...@gmail.com
> > > >wrote:
> > >
> > > > hmm
> > > >
> > > > kind of profile can make sense
> > > >
> > > > probably something to think about for v 1.6
> > > >
> > > > *Romain Manni-Bucau*
> > > > *Twitter: @rmannibucau *
> > > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > > http://rmannibucau.wordpress.com/>
> > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > > *Github: https://github.com/rmannibucau*
> > > >
> > > >
> > > >
> > > >
> > > > 2012/10/6 Alex The Rocker 
> > > >
> > > > > Romain:
> > > > >
> > > > > I think TomEE should be "secure by default", so commenting the
> > default
> > > > > users sound good to me.
> > > > > For developers vs production use cases, I think it would be great
> to
> > > > have a
> > > > > "configurator command" to swtich from "developer" vs. "production"
> > > > > configuration profiles.
> > > > > (IBM WebSphere has this feature, in Profile Management Tool)
> > > > >
> > > > > Alex.
> > > > >
> > > > >
> > > > > On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau <
> > > > rmannibu...@gmail.com
> > > > > >wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > i think the question is open and i scare a debate without end on
> > this
> > > > > > topic.
> > > > > >
> > > > > > Why i didn't comment it: because the moment where you need it the
> > > most
> > > > > > often is during the development so no issue having it.
> > > > > >
> > > > > > In production i hope it is adapted (and maybe tomcat-users.xml is
> > not
> > > > > used
> > > > > > at all) so i thought it was not an issue.
> > > > > >
> > > > > > That's said if *everybody *thinks it should be as Tomcat
> commented
> > i
> > > > see
> > > > > no
> > > > > > big issue doing it
> > > > > >
> > > > > > *Romain Manni-Bucau*
> > > > > > *Twitter: @rmannibucau *
> > > > > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > > > > http://rmannibucau.wordpress.com/>
> > > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > > > > *Github: https://github.com/rmannibucau*
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > 2012/10/6 exabrial 
> > > > > >
> > > > > > > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the
> > > following
> > > > > > users
> > > > > > > are defined:
> > > > > > >
> > > > > > >   
> > > > > > >> > > > > username="tomee"/>
> > > > > > >
> > > > > > > Wouldn't it be better to have those commented out by default?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > View this message in context:
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
> > > > > > > Sent from the OpenEJB User mailing list archive at Nabble.com.
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: v1.5.0 Security concern

2012-10-06 Thread Alex The Rocker

Security isn't an option.
JIRA improvement item created, see:
https://issues.apache.org/jira/browse/TOMEE-450


On Sat, Oct 6, 2012 at 5:32 PM, Romain Manni-Bucau wrote:

> i thought starting a thread on it after next release but up to you, jira
> works too
>
> *Romain Manni-Bucau*
> *Twitter: @rmannibucau *
> *Blog: **http://rmannibucau.wordpress.com/*<
> http://rmannibucau.wordpress.com/>
> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> *Github: https://github.com/rmannibucau*
>
>
>
>
> 2012/10/6 Alex The Rocker 
>
> > Want me to fill a JIRA for it ?
> > Alex
> >
> > On Sat, Oct 6, 2012 at 5:23 PM, Romain Manni-Bucau <
> rmannibu...@gmail.com
> > >wrote:
> >
> > > hmm
> > >
> > > kind of profile can make sense
> > >
> > > probably something to think about for v 1.6
> > >
> > > *Romain Manni-Bucau*
> > > *Twitter: @rmannibucau *
> > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > http://rmannibucau.wordpress.com/>
> > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > *Github: https://github.com/rmannibucau*
> > >
> > >
> > >
> > >
> > > 2012/10/6 Alex The Rocker 
> > >
> > > > Romain:
> > > >
> > > > I think TomEE should be "secure by default", so commenting the
> default
> > > > users sound good to me.
> > > > For developers vs production use cases, I think it would be great to
> > > have a
> > > > "configurator command" to swtich from "developer" vs. "production"
> > > > configuration profiles.
> > > > (IBM WebSphere has this feature, in Profile Management Tool)
> > > >
> > > > Alex.
> > > >
> > > >
> > > > On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau <
> > > rmannibu...@gmail.com
> > > > >wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > i think the question is open and i scare a debate without end on
> this
> > > > > topic.
> > > > >
> > > > > Why i didn't comment it: because the moment where you need it the
> > most
> > > > > often is during the development so no issue having it.
> > > > >
> > > > > In production i hope it is adapted (and maybe tomcat-users.xml is
> not
> > > > used
> > > > > at all) so i thought it was not an issue.
> > > > >
> > > > > That's said if *everybody *thinks it should be as Tomcat commented
> i
> > > see
> > > > no
> > > > > big issue doing it
> > > > >
> > > > > *Romain Manni-Bucau*
> > > > > *Twitter: @rmannibucau *
> > > > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > > > http://rmannibucau.wordpress.com/>
> > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > > > *Github: https://github.com/rmannibucau*
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > 2012/10/6 exabrial 
> > > > >
> > > > > > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the
> > following
> > > > > users
> > > > > > are defined:
> > > > > >
> > > > > >   
> > > > > >> > > > username="tomee"/>
> > > > > >
> > > > > > Wouldn't it be better to have those commented out by default?
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > View this message in context:
> > > > > >
> > > > >
> > > >
> > >
> >
> http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
> > > > > > Sent from the OpenEJB User mailing list archive at Nabble.com.
> > > > > >
> > > > >
> > > >
> > >
> >
>

Re: v1.5.0 Security concern

2012-10-06 Thread Neale Rudd


Hi Guys,

In any production hosted environment, this is one of the first things that 
is changed - but since people might be installing TomEE on VPS's etc... I 
personally agree that this should be commented out by default.


That said, other containers like JBoss ship with security disabled and full 
access to the admin tools available after a fresh install.


It's the choice of "be secure, and users have to learn something to access 
admin tools" or "let users access everything and make them learn something 
to secure it".  Either way has benefits.


Best Regards,
Neale




- Original Message - 
From: "Romain Manni-Bucau" 

To: 
Sent: Sunday, October 07, 2012 1:32 AM
Subject: Re: v1.5.0 Security concern



i thought starting a thread on it after next release but up to you, jira
works too

*Romain Manni-Bucau*
*Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
*Blog: 
**http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/>

*LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
*Github: https://github.com/rmannibucau*




2012/10/6 Alex The Rocker 


Want me to fill a JIRA for it ?
Alex

On Sat, Oct 6, 2012 at 5:23 PM, Romain Manni-Bucau wrote:

> hmm
>
> kind of profile can make sense
>
> probably something to think about for v 1.6
>
> *Romain Manni-Bucau*
> *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> *Blog: **http://rmannibucau.wordpress.com/*<
> http://rmannibucau.wordpress.com/>
> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> *Github: https://github.com/rmannibucau*
>
>
>
>
> 2012/10/6 Alex The Rocker 
>
> > Romain:
> >
> > I think TomEE should be "secure by default", so commenting the 
> > default

> > users sound good to me.
> > For developers vs production use cases, I think it would be great to
> have a
> > "configurator command" to swtich from "developer" vs. "production"
> > configuration profiles.
> > (IBM WebSphere has this feature, in Profile Management Tool)
> >
> > Alex.
> >
> >
> > On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau <
> rmannibu...@gmail.com
> > >wrote:
> >
> > > Hi,
> > >
> > > i think the question is open and i scare a debate without end on 
> > > this

> > > topic.
> > >
> > > Why i didn't comment it: because the moment where you need it the
most
> > > often is during the development so no issue having it.
> > >
> > > In production i hope it is adapted (and maybe tomcat-users.xml is 
> > > not

> > used
> > > at all) so i thought it was not an issue.
> > >
> > > That's said if *everybody *thinks it should be as Tomcat commented 
> > > i

> see
> > no
> > > big issue doing it
> > >
> > > *Romain Manni-Bucau*
> > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > http://rmannibucau.wordpress.com/>
> > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > *Github: https://github.com/rmannibucau*
> > >
> > >
> > >
> > >
> > > 2012/10/6 exabrial 
> > >
> > > > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the
following
> > > users
> > > > are defined:
> > > >
> > > >   
> > > >> > username="tomee"/>
> > > >
> > > > Wouldn't it be better to have those commented out by default?
> > > >
> > > >
> > > >
> > > > --
> > > > View this message in context:
> > > >
> > >
> >
>
http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
> > > > Sent from the OpenEJB User mailing list archive at Nabble.com.
> > > >
> > >
> >
>

Re: v1.5.0 Security concern

2012-10-06 Thread Romain Manni-Bucau

i thought starting a thread on it after next release but up to you, jira
works too

*Romain Manni-Bucau*
*Twitter: @rmannibucau *
*Blog: **http://rmannibucau.wordpress.com/*
*LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
*Github: https://github.com/rmannibucau*




2012/10/6 Alex The Rocker 

> Want me to fill a JIRA for it ?
> Alex
>
> On Sat, Oct 6, 2012 at 5:23 PM, Romain Manni-Bucau  >wrote:
>
> > hmm
> >
> > kind of profile can make sense
> >
> > probably something to think about for v 1.6
> >
> > *Romain Manni-Bucau*
> > *Twitter: @rmannibucau *
> > *Blog: **http://rmannibucau.wordpress.com/*<
> > http://rmannibucau.wordpress.com/>
> > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > *Github: https://github.com/rmannibucau*
> >
> >
> >
> >
> > 2012/10/6 Alex The Rocker 
> >
> > > Romain:
> > >
> > > I think TomEE should be "secure by default", so commenting the default
> > > users sound good to me.
> > > For developers vs production use cases, I think it would be great to
> > have a
> > > "configurator command" to swtich from "developer" vs. "production"
> > > configuration profiles.
> > > (IBM WebSphere has this feature, in Profile Management Tool)
> > >
> > > Alex.
> > >
> > >
> > > On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau <
> > rmannibu...@gmail.com
> > > >wrote:
> > >
> > > > Hi,
> > > >
> > > > i think the question is open and i scare a debate without end on this
> > > > topic.
> > > >
> > > > Why i didn't comment it: because the moment where you need it the
> most
> > > > often is during the development so no issue having it.
> > > >
> > > > In production i hope it is adapted (and maybe tomcat-users.xml is not
> > > used
> > > > at all) so i thought it was not an issue.
> > > >
> > > > That's said if *everybody *thinks it should be as Tomcat commented i
> > see
> > > no
> > > > big issue doing it
> > > >
> > > > *Romain Manni-Bucau*
> > > > *Twitter: @rmannibucau *
> > > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > > http://rmannibucau.wordpress.com/>
> > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > > *Github: https://github.com/rmannibucau*
> > > >
> > > >
> > > >
> > > >
> > > > 2012/10/6 exabrial 
> > > >
> > > > > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the
> following
> > > > users
> > > > > are defined:
> > > > >
> > > > >   
> > > > >> > > username="tomee"/>
> > > > >
> > > > > Wouldn't it be better to have those commented out by default?
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > View this message in context:
> > > > >
> > > >
> > >
> >
> http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
> > > > > Sent from the OpenEJB User mailing list archive at Nabble.com.
> > > > >
> > > >
> > >
> >
>

Re: v1.5.0 Security concern

2012-10-06 Thread Alex The Rocker

Want me to fill a JIRA for it ?
Alex

On Sat, Oct 6, 2012 at 5:23 PM, Romain Manni-Bucau wrote:

> hmm
>
> kind of profile can make sense
>
> probably something to think about for v 1.6
>
> *Romain Manni-Bucau*
> *Twitter: @rmannibucau *
> *Blog: **http://rmannibucau.wordpress.com/*<
> http://rmannibucau.wordpress.com/>
> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> *Github: https://github.com/rmannibucau*
>
>
>
>
> 2012/10/6 Alex The Rocker 
>
> > Romain:
> >
> > I think TomEE should be "secure by default", so commenting the default
> > users sound good to me.
> > For developers vs production use cases, I think it would be great to
> have a
> > "configurator command" to swtich from "developer" vs. "production"
> > configuration profiles.
> > (IBM WebSphere has this feature, in Profile Management Tool)
> >
> > Alex.
> >
> >
> > On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau <
> rmannibu...@gmail.com
> > >wrote:
> >
> > > Hi,
> > >
> > > i think the question is open and i scare a debate without end on this
> > > topic.
> > >
> > > Why i didn't comment it: because the moment where you need it the most
> > > often is during the development so no issue having it.
> > >
> > > In production i hope it is adapted (and maybe tomcat-users.xml is not
> > used
> > > at all) so i thought it was not an issue.
> > >
> > > That's said if *everybody *thinks it should be as Tomcat commented i
> see
> > no
> > > big issue doing it
> > >
> > > *Romain Manni-Bucau*
> > > *Twitter: @rmannibucau *
> > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > http://rmannibucau.wordpress.com/>
> > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > *Github: https://github.com/rmannibucau*
> > >
> > >
> > >
> > >
> > > 2012/10/6 exabrial 
> > >
> > > > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the following
> > > users
> > > > are defined:
> > > >
> > > >   
> > > >> > username="tomee"/>
> > > >
> > > > Wouldn't it be better to have those commented out by default?
> > > >
> > > >
> > > >
> > > > --
> > > > View this message in context:
> > > >
> > >
> >
> http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
> > > > Sent from the OpenEJB User mailing list archive at Nabble.com.
> > > >
> > >
> >
>

Re: v1.5.0 Security concern

2012-10-06 Thread Romain Manni-Bucau

hmm

kind of profile can make sense

probably something to think about for v 1.6

*Romain Manni-Bucau*
*Twitter: @rmannibucau *
*Blog: **http://rmannibucau.wordpress.com/*
*LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
*Github: https://github.com/rmannibucau*




2012/10/6 Alex The Rocker 

> Romain:
>
> I think TomEE should be "secure by default", so commenting the default
> users sound good to me.
> For developers vs production use cases, I think it would be great to have a
> "configurator command" to swtich from "developer" vs. "production"
> configuration profiles.
> (IBM WebSphere has this feature, in Profile Management Tool)
>
> Alex.
>
>
> On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau  >wrote:
>
> > Hi,
> >
> > i think the question is open and i scare a debate without end on this
> > topic.
> >
> > Why i didn't comment it: because the moment where you need it the most
> > often is during the development so no issue having it.
> >
> > In production i hope it is adapted (and maybe tomcat-users.xml is not
> used
> > at all) so i thought it was not an issue.
> >
> > That's said if *everybody *thinks it should be as Tomcat commented i see
> no
> > big issue doing it
> >
> > *Romain Manni-Bucau*
> > *Twitter: @rmannibucau *
> > *Blog: **http://rmannibucau.wordpress.com/*<
> > http://rmannibucau.wordpress.com/>
> > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > *Github: https://github.com/rmannibucau*
> >
> >
> >
> >
> > 2012/10/6 exabrial 
> >
> > > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the following
> > users
> > > are defined:
> > >
> > >   
> > >> username="tomee"/>
> > >
> > > Wouldn't it be better to have those commented out by default?
> > >
> > >
> > >
> > > --
> > > View this message in context:
> > >
> >
> http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
> > > Sent from the OpenEJB User mailing list archive at Nabble.com.
> > >
> >
>

Re: v1.5.0 Security concern

2012-10-06 Thread Alex The Rocker

Romain:

I think TomEE should be "secure by default", so commenting the default
users sound good to me.
For developers vs production use cases, I think it would be great to have a
"configurator command" to swtich from "developer" vs. "production"
configuration profiles.
(IBM WebSphere has this feature, in Profile Management Tool)

Alex.


On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau wrote:

> Hi,
>
> i think the question is open and i scare a debate without end on this
> topic.
>
> Why i didn't comment it: because the moment where you need it the most
> often is during the development so no issue having it.
>
> In production i hope it is adapted (and maybe tomcat-users.xml is not used
> at all) so i thought it was not an issue.
>
> That's said if *everybody *thinks it should be as Tomcat commented i see no
> big issue doing it
>
> *Romain Manni-Bucau*
> *Twitter: @rmannibucau *
> *Blog: **http://rmannibucau.wordpress.com/*<
> http://rmannibucau.wordpress.com/>
> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> *Github: https://github.com/rmannibucau*
>
>
>
>
> 2012/10/6 exabrial 
>
> > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the following
> users
> > are defined:
> >
> >   
> >username="tomee"/>
> >
> > Wouldn't it be better to have those commented out by default?
> >
> >
> >
> > --
> > View this message in context:
> >
> http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
> > Sent from the OpenEJB User mailing list archive at Nabble.com.
> >
>

Re: v1.5.0 Security concern

2012-10-06 Thread Romain Manni-Bucau

Hi,

i think the question is open and i scare a debate without end on this topic.

Why i didn't comment it: because the moment where you need it the most
often is during the development so no issue having it.

In production i hope it is adapted (and maybe tomcat-users.xml is not used
at all) so i thought it was not an issue.

That's said if *everybody *thinks it should be as Tomcat commented i see no
big issue doing it

*Romain Manni-Bucau*
*Twitter: @rmannibucau *
*Blog: **http://rmannibucau.wordpress.com/*
*LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
*Github: https://github.com/rmannibucau*




2012/10/6 exabrial 

> In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the following users
> are defined:
>
>   
>   
>
> Wouldn't it be better to have those commented out by default?
>
>
>
> --
> View this message in context:
> http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
> Sent from the OpenEJB User mailing list archive at Nabble.com.
>

v1.5.0 Security concern

2012-10-06 Thread exabrial

In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the following users
are defined:

  
  

Wouldn't it be better to have those commented out by default?



--
View this message in context: 
http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html
Sent from the OpenEJB User mailing list archive at Nabble.com.

Re: v1.5.0 Security concern

Re: v1.5.0 Security concern

Re: v1.5.0 Security concern

Re: v1.5.0 Security concern

Re: v1.5.0 Security concern

Re: v1.5.0 Security concern

Re: v1.5.0 Security concern

Re: v1.5.0 Security concern

Re: v1.5.0 Security concern

v1.5.0 Security concern

10 matches

Site Navigation

Mail list logo

Footer information