Bug 56606 - Tomcat Installer: old attribute generated in tomcat-users.xml instead of the new one
Tomcat Installer: old attribute generated in tomcat-users.xml instead of the ...
Status: RESOLVED FIXED
Product: Tomcat 6
Classification: Unclassified
Component: Native:Packaging
6.0.41
PC All
: P2 normal (vote)
: default
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2014-06-09 09:38 UTC by Sandro Martini
Modified: 2014-09-30 13:10 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sandro Martini 2014-06-09 09:38:52 UTC
Hi all, using the Tomcat Installer (for example apache-tomcat-7.0.42.exe) I see that when the admin user is created (in tomcat-users.xml), the tag inside the xml has the (old?) attribute name instead of username (as seen in other parts in the same file).

I see this in all three source files from tomcat6, 7 and 8, for example here: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/res/tomcat.nsi

this is the line related:
StrCpy $R5 '<user name="$R1" password="$R2" roles="$R3" />$\r$\n'

so I think the fix should be trivial (change name with username).
Note that even in the published doc in the web site there are some references to <user name=  ...


Last (using the same installation procedure, using the exe), if I don't set a password for the admin, the line in the tomcat-users.xml won't be generated

Thanks for now,
Sandro
Comment 1 Mark Thomas 2014-06-10 11:20:43 UTC
Fixed in 8.0.x for 8.0.9 and 7.0.x for 7.0.55.

Proposed for 6.0.x
Comment 2 Konstantin Kolinko 2014-06-11 10:35:33 UTC
For a record:
There are several components that read tomcat-users.xml.

org.apache.catalina.users.MemoryUserDatabase
(-> .open() -> o.a.c.users.MemoryUserCreationFactory)
prefers "username".

org.apache.catalina.realm.MemoryRealm
(-> .startInternal() -> o.a.c.realm.MemoryRuleSet)
org.apache.catalina.realm.JAASMemoryLoginModule
(-> .load() -> o.a.c.realm.MemoryRuleSet)
prefer "name".

I agree that "username" is the preferred name, as MemoryUserDatabase.save() (-> MemoryUser.toXml()) uses it when saving the file. The other implementations are not able to write the file.

(In reply to Sandro Martini from comment #0)
> 
> Last (using the same installation procedure, using the exe), if I don't set
> a password for the admin, the line in the tomcat-users.xml won't be generated
>

Enabling an administrative user shall be a conscious decision. It is also recommended to configure a RemoteAddrValve on the manager application.
There exists malware that targets installations that have users named "manager" with absent (or weak) passwords.

1. Search for CVE-2009-3548
2.
http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Securing_Management_Applications
Comment 3 Konstantin Kolinko 2014-06-11 13:37:41 UTC
(In reply to Konstantin Kolinko from comment #2)
> 
> I agree that "username" is the preferred name, as MemoryUserDatabase.save()
> (-> MemoryUser.toXml()) uses it when saving the file. The other
> implementations are not able to write the file.
> 

I updated MemoryRuleSet (used by MemoryRealm, JAASMemoryLoginModule) to prefer the "username" attribute and updated MemoryRealm documentation. It will be in 8.0.9, 7.0.55. (r1601886 r1601887)
Only documentation changes were backported to 6.0 (r1601892).
Comment 4 Mark Thomas 2014-09-30 13:10:34 UTC
This has been fixed in 6.0.x for 6.0.42 onwards.