Romain: I think TomEE should be "secure by default", so commenting the default users sound good to me. For developers vs production use cases, I think it would be great to have a "configurator command" to swtich from "developer" vs. "production" configuration profiles. (IBM WebSphere has this feature, in Profile Management Tool)
Alex. On Sat, Oct 6, 2012 at 4:15 PM, Romain Manni-Bucau <rmannibu...@gmail.com>wrote: > Hi, > > i think the question is open and i scare a debate without end on this > topic. > > Why i didn't comment it: because the moment where you need it the most > often is during the development so no issue having it. > > In production i hope it is adapted (and maybe tomcat-users.xml is not used > at all) so i thought it was not an issue. > > That's said if *everybody *thinks it should be as Tomcat commented i see no > big issue doing it > > *Romain Manni-Bucau* > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>* > *Blog: **http://rmannibucau.wordpress.com/*< > http://rmannibucau.wordpress.com/> > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau* > *Github: https://github.com/rmannibucau* > > > > > 2012/10/6 exabrial <exabrial+open...@gmail.com> > > > In apache-tomee-webprofile-1.5.0/conf/tomcat-users.xml, the following > users > > are defined: > > > > <role rolename="tomee-admin"/> > > <user password="tomee" roles="tomee-admin,manager-gui" > username="tomee"/> > > > > Wouldn't it be better to have those commented out by default? > > > > > > > > -- > > View this message in context: > > > http://openejb.979440.n4.nabble.com/v1-5-0-Security-concern-tp4657814.html > > Sent from the OpenEJB User mailing list archive at Nabble.com. > > >
