This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
tomcat4/conf/tomcat-users.xml in the NetBeans directory can contain passwords but is installed world readable on Linux. Regarding standalone tomcat4 installations it's sufficient if only the tomcat4 user can read it. I suggest to also do this inside netbeans.
Currently, there is no security support for bundled Tomcat server. Certainly this is a reasonable requirement.
This security issue should be solved somehow in future versions of Tomcat plugins.
We discussed the issue and decided that it is not a bug. Justification : In Linux, the userdir is defaultly created in /home/user directory. The directory shouldn't be readable for other user. If it is - there is a bigger security issue as other users can do the sabotage in the user directory. We've implemented a small security measure for the Tomcat Manager application access. The password is generated randomly for the netbeans user so it is difficult to guess it for the others.