Summary: | Tomcat Installer: old attribute generated in tomcat-users.xml instead of the new one | ||
---|---|---|---|
Product: | Tomcat 6 | Reporter: | Sandro Martini <smartini> |
Component: | Native:Packaging | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 6.0.41 | ||
Target Milestone: | default | ||
Hardware: | PC | ||
OS: | All |
Description
Sandro Martini
2014-06-09 09:38:52 UTC
Fixed in 8.0.x for 8.0.9 and 7.0.x for 7.0.55. Proposed for 6.0.x For a record: There are several components that read tomcat-users.xml. org.apache.catalina.users.MemoryUserDatabase (-> .open() -> o.a.c.users.MemoryUserCreationFactory) prefers "username". org.apache.catalina.realm.MemoryRealm (-> .startInternal() -> o.a.c.realm.MemoryRuleSet) org.apache.catalina.realm.JAASMemoryLoginModule (-> .load() -> o.a.c.realm.MemoryRuleSet) prefer "name". I agree that "username" is the preferred name, as MemoryUserDatabase.save() (-> MemoryUser.toXml()) uses it when saving the file. The other implementations are not able to write the file. (In reply to Sandro Martini from comment #0) > > Last (using the same installation procedure, using the exe), if I don't set > a password for the admin, the line in the tomcat-users.xml won't be generated > Enabling an administrative user shall be a conscious decision. It is also recommended to configure a RemoteAddrValve on the manager application. There exists malware that targets installations that have users named "manager" with absent (or weak) passwords. 1. Search for CVE-2009-3548 2. http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Securing_Management_Applications (In reply to Konstantin Kolinko from comment #2) > > I agree that "username" is the preferred name, as MemoryUserDatabase.save() > (-> MemoryUser.toXml()) uses it when saving the file. The other > implementations are not able to write the file. > I updated MemoryRuleSet (used by MemoryRealm, JAASMemoryLoginModule) to prefer the "username" attribute and updated MemoryRealm documentation. It will be in 8.0.9, 7.0.55. (r1601886 r1601887) Only documentation changes were backported to 6.0 (r1601892). This has been fixed in 6.0.x for 6.0.42 onwards. |