56606 – Tomcat Installer: old attribute generated in tomcat-users.xml instead of the new one

Bug 56606 - Tomcat Installer: old attribute generated in tomcat-users.xml instead of the new one

Summary: Tomcat Installer: old attribute generated in tomcat-users.xml instead of the ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 6
Classification:	Unclassified
Component:	Native:Packaging (show other bugs)
Version:	6.0.41
Hardware:	PC All

Importance:	P2 normal (vote)
Target Milestone:	default
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-06-09 09:38 UTC by Sandro Martini
Modified:	2014-09-30 13:10 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sandro Martini 2014-06-09 09:38:52 UTC

Hi all, using the Tomcat Installer (for example apache-tomcat-7.0.42.exe) I see that when the admin user is created (in tomcat-users.xml), the tag inside the xml has the (old?) attribute name instead of username (as seen in other parts in the same file).

I see this in all three source files from tomcat6, 7 and 8, for example here: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk/res/tomcat.nsi

this is the line related:
StrCpy $R5 '<user name="$R1" password="$R2" roles="$R3" />$\r$\n'

so I think the fix should be trivial (change name with username).
Note that even in the published doc in the web site there are some references to <user name=  ...


Last (using the same installation procedure, using the exe), if I don't set a password for the admin, the line in the tomcat-users.xml won't be generated

Thanks for now,
Sandro

Comment 1 Mark Thomas 2014-06-10 11:20:43 UTC

Fixed in 8.0.x for 8.0.9 and 7.0.x for 7.0.55.

Proposed for 6.0.x

Comment 2 Konstantin Kolinko 2014-06-11 10:35:33 UTC

For a record:
There are several components that read tomcat-users.xml.

org.apache.catalina.users.MemoryUserDatabase
(-> .open() -> o.a.c.users.MemoryUserCreationFactory)
prefers "username".

org.apache.catalina.realm.MemoryRealm
(-> .startInternal() -> o.a.c.realm.MemoryRuleSet)
org.apache.catalina.realm.JAASMemoryLoginModule
(-> .load() -> o.a.c.realm.MemoryRuleSet)
prefer "name".

I agree that "username" is the preferred name, as MemoryUserDatabase.save() (-> MemoryUser.toXml()) uses it when saving the file. The other implementations are not able to write the file.

(In reply to Sandro Martini from comment #0)
> 
> Last (using the same installation procedure, using the exe), if I don't set
> a password for the admin, the line in the tomcat-users.xml won't be generated
>

Enabling an administrative user shall be a conscious decision. It is also recommended to configure a RemoteAddrValve on the manager application.
There exists malware that targets installations that have users named "manager" with absent (or weak) passwords.

1. Search for CVE-2009-3548
2.
http://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Securing_Management_Applications

Comment 3 Konstantin Kolinko 2014-06-11 13:37:41 UTC

(In reply to Konstantin Kolinko from comment #2)
> 
> I agree that "username" is the preferred name, as MemoryUserDatabase.save()
> (-> MemoryUser.toXml()) uses it when saving the file. The other
> implementations are not able to write the file.
> 

I updated MemoryRuleSet (used by MemoryRealm, JAASMemoryLoginModule) to prefer the "username" attribute and updated MemoryRealm documentation. It will be in 8.0.9, 7.0.55. (r1601886 r1601887)
Only documentation changes were backported to 6.0 (r1601892).

Comment 4 Mark Thomas 2014-09-30 13:10:34 UTC

This has been fixed in 6.0.x for 6.0.42 onwards.