You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by GitBox <gi...@apache.org> on 2021/04/12 09:04:10 UTC

[GitHub] [tomcat] kkolinko commented on pull request #412: Adding default manager roles in tomcat users config.

kkolinko commented on pull request #412:
URL: https://github.com/apache/tomcat/pull/412#issuecomment-817630063


   > <user username="admin" password="<must-be-changed>" roles="manager-gui,manager-jmx"/>
   
   -1 for the above line. The "manager-jmx" role is not intended to be used by human users: it does not have CSRF protection.
   
   See
   https://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html#Configuring_Manager_Application_Access
   
   > <role rolename="manager-gui"/> etc.
   
   There rarely is a need to explicitly create roles like the above. When parsing the tomcat-users.xml file, all roles mentioned in users are created automatically.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org