This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
There is a security problem with the IDE's internall tomcat configuration. The tomcat-user.xml file defining users, their roles and passwords contains this element: <user username="ide" password="ide_manager" roles="admin,manager"/> This is a bad approach to have the some password in all installations of IDE on all machines. One can see into his/her conf and use the password to access someone else tomcat. I am aware of the fact that the internall tomcat server is not supposed to be used in a production environment, but anyway it would be better to generate different password for each user. I am not sure now I we are going to use the some mechanism for an external tomcat installation. If so this IS definitely a security problem.
this is by design this instance will never be used as a production server so ease of use is a priority, security is not important
The generation of a new password for each installation (may be done during first tomcat start) wont impact easy of use at all! It's only a few lines of code.
I think there is a bigger problem. Anyone in the world can write small application which delete all content on a disk, deploy it via manager (name and password is known) and execute it. Or anyone can create application which makes all data on disk accessible to the world. This is unacceptable security hole. I vote for autogenerating new password.
Password for bundled tomcat is generated.
v