Hola,
I too am unhappy even with a commented-out default username/password,
because I think too many will just comment it in.  I think the current
tomcat-users.xml is fine.  But if you want to make a difference on
this matter, make a custom 401 page for the admin and manager webapps
that says (in addition to the usual 401 denied stuff) "hey, maybe you
forgot to change the default tomcat-users.xml?  Please see
http://this.url for directions."
Yoav

On 4/28/06, Remy Maucherat <[EMAIL PROTECTED]> wrote:
> Mladen Turk wrote:
> > Peter Rossbach wrote:
> >> Yes, defaults are very fine, but secret parameter need active user
> >> interaction.
> >>
> >
> > I didn't say it will be enabled by default.
> > If commented out like in tc6, it would need an user intervention
> > anyhow, so the user uncommenting the credentials should be
> > aware of the consequences.
>
> The default file is:
> <!--
>    NOTE:  By default, no user is included in the "manager" role required
>    to operate the "/manager" web application.  If you wish to use this app,
>    you must define such a user - the username and password are arbitrary.
> -->
> <tomcat-users>
>    <user name="tomcat" password="tomcat" roles="tomcat" />
>    <user name="role1"  password="tomcat" roles="role1"  />
>    <user name="both"   password="tomcat" roles="tomcat,role1" />
> </tomcat-users>
>
> It looks good enough to me, and it's been like that since Tomcat 4.0.
> Are you posting this proposal because some people find it too difficult ?
>
> Rémy
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


--
Yoav Shapira
Nimalex LLC
1 Mifflin Place, Suite 310
Cambridge, MA, USA
[EMAIL PROTECTED] / www.yoavshapira.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to