https://issues.apache.org/bugzilla/show_bug.cgi?id=56370
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |WONTFIX
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
(In reply to Martin Spamer from comment #4)
> This should be re-opened and fixed on the grounds refusal make a very weak
> argument.
>
> 1) The tomcat,both and role1 are NOT used by any of the examples, which only
> ship in some distro. The file in error is supplied with all distributions.
Those roles are used by the examples app that ships with Tomcat. If a
distribution removes the examples it should remove the corresponding users from
tomcat-users.xml.
> 2) The examples already provide access with default password so how is that
> ground to refuse to correct this bug.
The examples are not security sensitive. The Manager app is.
> 3) The suggestion uses a blanked out password.
Which means the end result will be a bunch of Tomcat instances where the
Manager password is "******" or whatever is used for the "blanked out"
password. You could set it to "OnlyAnIdiotWouldNotChangeThis" and it would
still not get changed in a significant proportion of installations.
> 4) Refusal increases the barriers to use and makes additional work setting
> up and configuration.
The refusal is based solely on past experience that shows that, with any form
of commented out password for the Manager app, folks simply uncomment it
without engaging their brains first.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
