Mikolaj,
On 25.11.2013 12:46, Mikolaj Rydzewski wrote:
On 25.11.2013 12:42, Ognjen Blagojevic wrote:
I also think it would be very usefull if 401 error page for manager
application does not example password "s3cret", but randomly generated
long password unique for every request. I guess there is a number of
Tomcat instances out there with username "tomcat" and passoword
"s3cret", and that needs to be prevented.
Can you elaborate on that?
What do you mean by randomly passwords for 401 pages?
Current 401 page for Manager application says something like:
====
You are not authorized to view this page. If you have not changed any
configuration files, please examine the file conf/tomcat-users.xml in
your installation. That file must contain the credentials to let you use
this webapp.
For example, to add the manager-gui role to a user named tomcat with a
password of s3cret, add the following to the config file listed above.
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
----
What most users do is to copy the XML example, and paste it into
tomcat-users.xml.
I propose that 401 page for Manager be dynamically generated, so that
instead of occurrences of example password "s3cret", it generates random
password, different for every request which results in 401 error page.
In that way, every security-unaware user will have unique password, and
not "s3cret".
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
