Hi all, using the Tomcat Installer (for example apache-tomcat-7.0.42.exe) I see that when the admin user is created (in tomcat-users.xml), the tag inside the xml has the (old?) attribute name instead of username (as seen in other parts in the same file). I see this in all three source files from tomcat6, 7 and 8, for example here: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/res/tomcat.nsi this is the line related: StrCpy $R5 '<user name="$R1" password="$R2" roles="$R3" />$\r$\n' so I think the fix should be trivial (change name with username). Note that even in the published doc in the web site there are some references to <user name= ... Last (using the same installation procedure, using the exe), if I don't set a password for the admin, the line in the tomcat-users.xml won't be generated Thanks for now, Sandro
Fixed in 8.0.x for 8.0.9 and 7.0.x for 7.0.55. Proposed for 6.0.x
For a record: There are several components that read tomcat-users.xml. org.apache.catalina.users.MemoryUserDatabase (-> .open() -> o.a.c.users.MemoryUserCreationFactory) prefers "username". org.apache.catalina.realm.MemoryRealm (-> .startInternal() -> o.a.c.realm.MemoryRuleSet) org.apache.catalina.realm.JAASMemoryLoginModule (-> .load() -> o.a.c.realm.MemoryRuleSet) prefer "name". I agree that "username" is the preferred name, as MemoryUserDatabase.save() (-> MemoryUser.toXml()) uses it when saving the file. The other implementations are not able to write the file. (In reply to Sandro Martini from comment #0) > > Last (using the same installation procedure, using the exe), if I don't set > a password for the admin, the line in the tomcat-users.xml won't be generated > Enabling an administrative user shall be a conscious decision. It is also recommended to configure a RemoteAddrValve on the manager application. There exists malware that targets installations that have users named "manager" with absent (or weak) passwords. 1. Search for CVE-2009-3548 2. http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Securing_Management_Applications
(In reply to Konstantin Kolinko from comment #2) > > I agree that "username" is the preferred name, as MemoryUserDatabase.save() > (-> MemoryUser.toXml()) uses it when saving the file. The other > implementations are not able to write the file. > I updated MemoryRuleSet (used by MemoryRealm, JAASMemoryLoginModule) to prefer the "username" attribute and updated MemoryRealm documentation. It will be in 8.0.9, 7.0.55. (r1601886 r1601887) Only documentation changes were backported to 6.0 (r1601892).
This has been fixed in 6.0.x for 6.0.42 onwards.