Hola, I too am unhappy even with a commented-out default username/password, because I think too many will just comment it in. I think the current tomcat-users.xml is fine. But if you want to make a difference on this matter, make a custom 401 page for the admin and manager webapps that says (in addition to the usual 401 denied stuff) "hey, maybe you forgot to change the default tomcat-users.xml? Please see http://this.url for directions."
Yoav On 4/28/06, Remy Maucherat <[EMAIL PROTECTED]> wrote: > Mladen Turk wrote: > > Peter Rossbach wrote: > >> Yes, defaults are very fine, but secret parameter need active user > >> interaction. > >> > > > > I didn't say it will be enabled by default. > > If commented out like in tc6, it would need an user intervention > > anyhow, so the user uncommenting the credentials should be > > aware of the consequences. > > The default file is: > <!-- > NOTE: By default, no user is included in the "manager" role required > to operate the "/manager" web application. If you wish to use this app, > you must define such a user - the username and password are arbitrary. > --> > <tomcat-users> > <user name="tomcat" password="tomcat" roles="tomcat" /> > <user name="role1" password="tomcat" roles="role1" /> > <user name="both" password="tomcat" roles="tomcat,role1" /> > </tomcat-users> > > It looks good enough to me, and it's been like that since Tomcat 4.0. > Are you posting this proposal because some people find it too difficult ? > > Rémy > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Yoav Shapira Nimalex LLC 1 Mifflin Place, Suite 310 Cambridge, MA, USA [EMAIL PROTECTED] / www.yoavshapira.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]