TomEE should be secure by default and/or have profile management tool

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

TomEE should be secure by default and/or have profile management tool

Alex The Rocker
Hello,

This is to continue the discussion started in users@ list around JIRA
improvement item https://issues.apache.org/jira/browse/TOMEE-450

I'm a bit surprised by Romain's statement that TomEE is primarily used by
developers : I thought that in real world there are more app servers used
to deploy than to develop ; even if since TomEE is new it's not yet the
case.

Any opinion?

Alex
Reply | Threaded
Open this post in threaded view
|

Re: TomEE should be secure by default and/or have profile management tool

Romain Manni-Bucau
hmm that's not exactly what i said Alex :p

on a project you generally have N (>5) developpers using the container to
develop (let say with tomee-maven-pugin or WTP or something else...)

then when it is about production you have 2-3 people configuring the server
then it can be deployed in cluster automatically from the config.

So my statement is the config work in dev is > the prod one

So IMO it should work out of the box in dev then the prod should adapt the
conf. That's for instance what we do about datasources: we provide some
default datasources to let people use JPA out of the box then in production
you configure your real datasource, your pooling etc...

Sorry if it was not clear.

*Romain Manni-Bucau*
*Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
*Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/>
*LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
*Github: https://github.com/rmannibucau*




2012/10/6 Alex The Rocker <[hidden email]>

> Hello,
>
> This is to continue the discussion started in users@ list around JIRA
> improvement item https://issues.apache.org/jira/browse/TOMEE-450
>
> I'm a bit surprised by Romain's statement that TomEE is primarily used by
> developers : I thought that in real world there are more app servers used
> to deploy than to develop ; even if since TomEE is new it's not yet the
> case.
>
> Any opinion?
>
> Alex
>
Reply | Threaded
Open this post in threaded view
|

Re: TomEE should be secure by default and/or have profile management tool

Alex The Rocker
Okay, i agree with that. So how about a profile management tool to generate
a TomEE configuration with minimal surface of attack?
Alex

On Sat, Oct 6, 2012 at 9:49 PM, Romain Manni-Bucau <[hidden email]>wrote:

> hmm that's not exactly what i said Alex :p
>
> on a project you generally have N (>5) developpers using the container to
> develop (let say with tomee-maven-pugin or WTP or something else...)
>
> then when it is about production you have 2-3 people configuring the server
> then it can be deployed in cluster automatically from the config.
>
> So my statement is the config work in dev is > the prod one
>
> So IMO it should work out of the box in dev then the prod should adapt the
> conf. That's for instance what we do about datasources: we provide some
> default datasources to let people use JPA out of the box then in production
> you configure your real datasource, your pooling etc...
>
> Sorry if it was not clear.
>
> *Romain Manni-Bucau*
> *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> *Blog: **http://rmannibucau.wordpress.com/*<
> http://rmannibucau.wordpress.com/>
> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> *Github: https://github.com/rmannibucau*
>
>
>
>
> 2012/10/6 Alex The Rocker <[hidden email]>
>
> > Hello,
> >
> > This is to continue the discussion started in users@ list around JIRA
> > improvement item https://issues.apache.org/jira/browse/TOMEE-450
> >
> > I'm a bit surprised by Romain's statement that TomEE is primarily used by
> > developers : I thought that in real world there are more app servers used
> > to deploy than to develop ; even if since TomEE is new it's not yet the
> > case.
> >
> > Any opinion?
> >
> > Alex
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: TomEE should be secure by default and/or have profile management tool

Romain Manni-Bucau
like i said in the Jira i talked about it so i'm +0.8 (not +1 since the
conf is still small)

then it will not be in 1.5.1 i think (wouldnt add too much security or
something like that so it needs some testing)

does it sound reasonable for you?

*Romain Manni-Bucau*
*Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
*Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/>
*LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
*Github: https://github.com/rmannibucau*




2012/10/6 Alex The Rocker <[hidden email]>

> Okay, i agree with that. So how about a profile management tool to generate
> a TomEE configuration with minimal surface of attack?
> Alex
>
> On Sat, Oct 6, 2012 at 9:49 PM, Romain Manni-Bucau <[hidden email]
> >wrote:
>
> > hmm that's not exactly what i said Alex :p
> >
> > on a project you generally have N (>5) developpers using the container to
> > develop (let say with tomee-maven-pugin or WTP or something else...)
> >
> > then when it is about production you have 2-3 people configuring the
> server
> > then it can be deployed in cluster automatically from the config.
> >
> > So my statement is the config work in dev is > the prod one
> >
> > So IMO it should work out of the box in dev then the prod should adapt
> the
> > conf. That's for instance what we do about datasources: we provide some
> > default datasources to let people use JPA out of the box then in
> production
> > you configure your real datasource, your pooling etc...
> >
> > Sorry if it was not clear.
> >
> > *Romain Manni-Bucau*
> > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > *Blog: **http://rmannibucau.wordpress.com/*<
> > http://rmannibucau.wordpress.com/>
> > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > *Github: https://github.com/rmannibucau*
> >
> >
> >
> >
> > 2012/10/6 Alex The Rocker <[hidden email]>
> >
> > > Hello,
> > >
> > > This is to continue the discussion started in users@ list around JIRA
> > > improvement item https://issues.apache.org/jira/browse/TOMEE-450
> > >
> > > I'm a bit surprised by Romain's statement that TomEE is primarily used
> by
> > > developers : I thought that in real world there are more app servers
> used
> > > to deploy than to develop ; even if since TomEE is new it's not yet the
> > > case.
> > >
> > > Any opinion?
> > >
> > > Alex
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: TomEE should be secure by default and/or have profile management tool

Alex The Rocker
This would be acceptable to postpone this JIRA after 1.5.1 if you could add
an "Hardening TomEE security" item in documentation and list there the
steps we have in mind for the profile management tool in a future release.
Providing this type of information will give more credits to TomEE as
suitable production app server (there are many sites about Tomcat
hardening, TomEE can't be weaker than Tomcat :))

Alex

On Sat, Oct 6, 2012 at 9:55 PM, Romain Manni-Bucau <[hidden email]>wrote:

> like i said in the Jira i talked about it so i'm +0.8 (not +1 since the
> conf is still small)
>
> then it will not be in 1.5.1 i think (wouldnt add too much security or
> something like that so it needs some testing)
>
> does it sound reasonable for you?
>
> *Romain Manni-Bucau*
> *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> *Blog: **http://rmannibucau.wordpress.com/*<
> http://rmannibucau.wordpress.com/>
> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> *Github: https://github.com/rmannibucau*
>
>
>
>
> 2012/10/6 Alex The Rocker <[hidden email]>
>
> > Okay, i agree with that. So how about a profile management tool to
> generate
> > a TomEE configuration with minimal surface of attack?
> > Alex
> >
> > On Sat, Oct 6, 2012 at 9:49 PM, Romain Manni-Bucau <
> [hidden email]
> > >wrote:
> >
> > > hmm that's not exactly what i said Alex :p
> > >
> > > on a project you generally have N (>5) developpers using the container
> to
> > > develop (let say with tomee-maven-pugin or WTP or something else...)
> > >
> > > then when it is about production you have 2-3 people configuring the
> > server
> > > then it can be deployed in cluster automatically from the config.
> > >
> > > So my statement is the config work in dev is > the prod one
> > >
> > > So IMO it should work out of the box in dev then the prod should adapt
> > the
> > > conf. That's for instance what we do about datasources: we provide some
> > > default datasources to let people use JPA out of the box then in
> > production
> > > you configure your real datasource, your pooling etc...
> > >
> > > Sorry if it was not clear.
> > >
> > > *Romain Manni-Bucau*
> > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > http://rmannibucau.wordpress.com/>
> > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > *Github: https://github.com/rmannibucau*
> > >
> > >
> > >
> > >
> > > 2012/10/6 Alex The Rocker <[hidden email]>
> > >
> > > > Hello,
> > > >
> > > > This is to continue the discussion started in users@ list around
> JIRA
> > > > improvement item https://issues.apache.org/jira/browse/TOMEE-450
> > > >
> > > > I'm a bit surprised by Romain's statement that TomEE is primarily
> used
> > by
> > > > developers : I thought that in real world there are more app servers
> > used
> > > > to deploy than to develop ; even if since TomEE is new it's not yet
> the
> > > > case.
> > > >
> > > > Any opinion?
> > > >
> > > > Alex
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: TomEE should be secure by default and/or have profile management tool

Jean-Louis MONTEIRO
Fully agree with all Alex.
Maybe you could fill a jira and propose kinda profile or at least sine
peace if code.

Regarding the doc, That's also an area where you could help. It  became
simpler with the new website based on Apache cms.

Jlouis
Le 6 oct. 2012 22:01, "Alex The Rocker" <[hidden email]> a écrit :

> This would be acceptable to postpone this JIRA after 1.5.1 if you could add
> an "Hardening TomEE security" item in documentation and list there the
> steps we have in mind for the profile management tool in a future release.
> Providing this type of information will give more credits to TomEE as
> suitable production app server (there are many sites about Tomcat
> hardening, TomEE can't be weaker than Tomcat :))
>
> Alex
>
> On Sat, Oct 6, 2012 at 9:55 PM, Romain Manni-Bucau <[hidden email]
> >wrote:
>
> > like i said in the Jira i talked about it so i'm +0.8 (not +1 since the
> > conf is still small)
> >
> > then it will not be in 1.5.1 i think (wouldnt add too much security or
> > something like that so it needs some testing)
> >
> > does it sound reasonable for you?
> >
> > *Romain Manni-Bucau*
> > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > *Blog: **http://rmannibucau.wordpress.com/*<
> > http://rmannibucau.wordpress.com/>
> > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > *Github: https://github.com/rmannibucau*
> >
> >
> >
> >
> > 2012/10/6 Alex The Rocker <[hidden email]>
> >
> > > Okay, i agree with that. So how about a profile management tool to
> > generate
> > > a TomEE configuration with minimal surface of attack?
> > > Alex
> > >
> > > On Sat, Oct 6, 2012 at 9:49 PM, Romain Manni-Bucau <
> > [hidden email]
> > > >wrote:
> > >
> > > > hmm that's not exactly what i said Alex :p
> > > >
> > > > on a project you generally have N (>5) developpers using the
> container
> > to
> > > > develop (let say with tomee-maven-pugin or WTP or something else...)
> > > >
> > > > then when it is about production you have 2-3 people configuring the
> > > server
> > > > then it can be deployed in cluster automatically from the config.
> > > >
> > > > So my statement is the config work in dev is > the prod one
> > > >
> > > > So IMO it should work out of the box in dev then the prod should
> adapt
> > > the
> > > > conf. That's for instance what we do about datasources: we provide
> some
> > > > default datasources to let people use JPA out of the box then in
> > > production
> > > > you configure your real datasource, your pooling etc...
> > > >
> > > > Sorry if it was not clear.
> > > >
> > > > *Romain Manni-Bucau*
> > > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > > http://rmannibucau.wordpress.com/>
> > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > > *Github: https://github.com/rmannibucau*
> > > >
> > > >
> > > >
> > > >
> > > > 2012/10/6 Alex The Rocker <[hidden email]>
> > > >
> > > > > Hello,
> > > > >
> > > > > This is to continue the discussion started in users@ list around
> > JIRA
> > > > > improvement item https://issues.apache.org/jira/browse/TOMEE-450
> > > > >
> > > > > I'm a bit surprised by Romain's statement that TomEE is primarily
> > used
> > > by
> > > > > developers : I thought that in real world there are more app
> servers
> > > used
> > > > > to deploy than to develop ; even if since TomEE is new it's not yet
> > the
> > > > > case.
> > > > >
> > > > > Any opinion?
> > > > >
> > > > > Alex
> > > > >
> > > >
> > >
> >
>
   --
    Jean-Louis Monteiro
    http://twitter.com/jlouismonteiro
    http://www.tomitribe.com
Reply | Threaded
Open this post in threaded view
|

Re: TomEE should be secure by default and/or have profile management tool

Alex The Rocker
JIRA is already filled :https://issues.apache.org/jira/browse/TOMEE-450
Regarding the doc, not sure how I could help : do you mean i could be
granted write access to it?
How? who grants? who reviews?

Alex

On Sun, Oct 7, 2012 at 9:54 AM, Jean-Louis MONTEIRO <[hidden email]>wrote:

> Fully agree with all Alex.
> Maybe you could fill a jira and propose kinda profile or at least sine
> peace if code.
>
> Regarding the doc, That's also an area where you could help. It  became
> simpler with the new website based on Apache cms.
>
> Jlouis
> Le 6 oct. 2012 22:01, "Alex The Rocker" <[hidden email]> a écrit :
>
> > This would be acceptable to postpone this JIRA after 1.5.1 if you could
> add
> > an "Hardening TomEE security" item in documentation and list there the
> > steps we have in mind for the profile management tool in a future
> release.
> > Providing this type of information will give more credits to TomEE as
> > suitable production app server (there are many sites about Tomcat
> > hardening, TomEE can't be weaker than Tomcat :))
> >
> > Alex
> >
> > On Sat, Oct 6, 2012 at 9:55 PM, Romain Manni-Bucau <
> [hidden email]
> > >wrote:
> >
> > > like i said in the Jira i talked about it so i'm +0.8 (not +1 since the
> > > conf is still small)
> > >
> > > then it will not be in 1.5.1 i think (wouldnt add too much security or
> > > something like that so it needs some testing)
> > >
> > > does it sound reasonable for you?
> > >
> > > *Romain Manni-Bucau*
> > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > http://rmannibucau.wordpress.com/>
> > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > *Github: https://github.com/rmannibucau*
> > >
> > >
> > >
> > >
> > > 2012/10/6 Alex The Rocker <[hidden email]>
> > >
> > > > Okay, i agree with that. So how about a profile management tool to
> > > generate
> > > > a TomEE configuration with minimal surface of attack?
> > > > Alex
> > > >
> > > > On Sat, Oct 6, 2012 at 9:49 PM, Romain Manni-Bucau <
> > > [hidden email]
> > > > >wrote:
> > > >
> > > > > hmm that's not exactly what i said Alex :p
> > > > >
> > > > > on a project you generally have N (>5) developpers using the
> > container
> > > to
> > > > > develop (let say with tomee-maven-pugin or WTP or something
> else...)
> > > > >
> > > > > then when it is about production you have 2-3 people configuring
> the
> > > > server
> > > > > then it can be deployed in cluster automatically from the config.
> > > > >
> > > > > So my statement is the config work in dev is > the prod one
> > > > >
> > > > > So IMO it should work out of the box in dev then the prod should
> > adapt
> > > > the
> > > > > conf. That's for instance what we do about datasources: we provide
> > some
> > > > > default datasources to let people use JPA out of the box then in
> > > > production
> > > > > you configure your real datasource, your pooling etc...
> > > > >
> > > > > Sorry if it was not clear.
> > > > >
> > > > > *Romain Manni-Bucau*
> > > > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > > > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > > > http://rmannibucau.wordpress.com/>
> > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > > > *Github: https://github.com/rmannibucau*
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > 2012/10/6 Alex The Rocker <[hidden email]>
> > > > >
> > > > > > Hello,
> > > > > >
> > > > > > This is to continue the discussion started in users@ list around
> > > JIRA
> > > > > > improvement item https://issues.apache.org/jira/browse/TOMEE-450
> > > > > >
> > > > > > I'm a bit surprised by Romain's statement that TomEE is primarily
> > > used
> > > > by
> > > > > > developers : I thought that in real world there are more app
> > servers
> > > > used
> > > > > > to deploy than to develop ; even if since TomEE is new it's not
> yet
> > > the
> > > > > > case.
> > > > > >
> > > > > > Any opinion?
> > > > > >
> > > > > > Alex
> > > > > >
> > > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: TomEE should be secure by default and/or have profile management tool

Romain Manni-Bucau
There is a edit button on the doc and your change will be sent then
accepted.

If you need new pages simply ask ;)
Le 7 oct. 2012 20:56, "Alex The Rocker" <[hidden email]> a écrit :

> JIRA is already filled :https://issues.apache.org/jira/browse/TOMEE-450
> Regarding the doc, not sure how I could help : do you mean i could be
> granted write access to it?
> How? who grants? who reviews?
>
> Alex
>
> On Sun, Oct 7, 2012 at 9:54 AM, Jean-Louis MONTEIRO <[hidden email]
> >wrote:
>
> > Fully agree with all Alex.
> > Maybe you could fill a jira and propose kinda profile or at least sine
> > peace if code.
> >
> > Regarding the doc, That's also an area where you could help. It  became
> > simpler with the new website based on Apache cms.
> >
> > Jlouis
> > Le 6 oct. 2012 22:01, "Alex The Rocker" <[hidden email]> a écrit :
> >
> > > This would be acceptable to postpone this JIRA after 1.5.1 if you could
> > add
> > > an "Hardening TomEE security" item in documentation and list there the
> > > steps we have in mind for the profile management tool in a future
> > release.
> > > Providing this type of information will give more credits to TomEE as
> > > suitable production app server (there are many sites about Tomcat
> > > hardening, TomEE can't be weaker than Tomcat :))
> > >
> > > Alex
> > >
> > > On Sat, Oct 6, 2012 at 9:55 PM, Romain Manni-Bucau <
> > [hidden email]
> > > >wrote:
> > >
> > > > like i said in the Jira i talked about it so i'm +0.8 (not +1 since
> the
> > > > conf is still small)
> > > >
> > > > then it will not be in 1.5.1 i think (wouldnt add too much security
> or
> > > > something like that so it needs some testing)
> > > >
> > > > does it sound reasonable for you?
> > > >
> > > > *Romain Manni-Bucau*
> > > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > > http://rmannibucau.wordpress.com/>
> > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > > *Github: https://github.com/rmannibucau*
> > > >
> > > >
> > > >
> > > >
> > > > 2012/10/6 Alex The Rocker <[hidden email]>
> > > >
> > > > > Okay, i agree with that. So how about a profile management tool to
> > > > generate
> > > > > a TomEE configuration with minimal surface of attack?
> > > > > Alex
> > > > >
> > > > > On Sat, Oct 6, 2012 at 9:49 PM, Romain Manni-Bucau <
> > > > [hidden email]
> > > > > >wrote:
> > > > >
> > > > > > hmm that's not exactly what i said Alex :p
> > > > > >
> > > > > > on a project you generally have N (>5) developpers using the
> > > container
> > > > to
> > > > > > develop (let say with tomee-maven-pugin or WTP or something
> > else...)
> > > > > >
> > > > > > then when it is about production you have 2-3 people configuring
> > the
> > > > > server
> > > > > > then it can be deployed in cluster automatically from the config.
> > > > > >
> > > > > > So my statement is the config work in dev is > the prod one
> > > > > >
> > > > > > So IMO it should work out of the box in dev then the prod should
> > > adapt
> > > > > the
> > > > > > conf. That's for instance what we do about datasources: we
> provide
> > > some
> > > > > > default datasources to let people use JPA out of the box then in
> > > > > production
> > > > > > you configure your real datasource, your pooling etc...
> > > > > >
> > > > > > Sorry if it was not clear.
> > > > > >
> > > > > > *Romain Manni-Bucau*
> > > > > > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > > > > > *Blog: **http://rmannibucau.wordpress.com/*<
> > > > > > http://rmannibucau.wordpress.com/>
> > > > > > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > > > > > *Github: https://github.com/rmannibucau*
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > 2012/10/6 Alex The Rocker <[hidden email]>
> > > > > >
> > > > > > > Hello,
> > > > > > >
> > > > > > > This is to continue the discussion started in users@ list
> around
> > > > JIRA
> > > > > > > improvement item
> https://issues.apache.org/jira/browse/TOMEE-450
> > > > > > >
> > > > > > > I'm a bit surprised by Romain's statement that TomEE is
> primarily
> > > > used
> > > > > by
> > > > > > > developers : I thought that in real world there are more app
> > > servers
> > > > > used
> > > > > > > to deploy than to develop ; even if since TomEE is new it's not
> > yet
> > > > the
> > > > > > > case.
> > > > > > >
> > > > > > > Any opinion?
> > > > > > >
> > > > > > > Alex
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: TomEE should be secure by default and/or have profile management tool

Bjorn Danielsson
In reply to this post by Romain Manni-Bucau
Just my opinion for whatever it's worth:

As we all know, and as Romain explains quite clearly, there
is a built-in conflict between what is most convenient for
the developer and what is most convenient for the production
people.

I think all defaults *except* for security-impacting things
should be chosen to make life easier for developers,
not production people. But for anything security-related
I suggest that the defaults should *always* be governed by
the principle "secure out of the box".

My reason is that there are (unfortunately) too many people out
there who have very little clues about security, or who don't
have any incentive to care about it. And as the popularity of
TomEE grows, the impact of such people deploying TomEE will
also grow. The consequences of that must be weighed against
the inconvenience of the developer's need to relax the security
settings.

--
Bjorn Danielsson
Cuspy Code AB


Romain Manni-Bucau <[hidden email]> wrote:

> hmm that's not exactly what i said Alex :p
>
> on a project you generally have N (>5) developpers using the container to
> develop (let say with tomee-maven-pugin or WTP or something else...)
>
> then when it is about production you have 2-3 people configuring the server
> then it can be deployed in cluster automatically from the config.
>
> So my statement is the config work in dev is > the prod one
>
> So IMO it should work out of the box in dev then the prod should adapt the
> conf. That's for instance what we do about datasources: we provide some
> default datasources to let people use JPA out of the box then in production
> you configure your real datasource, your pooling etc...
>
> Sorry if it was not clear.
>
> *Romain Manni-Bucau*
> *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> *Blog: **http://rmannibucau.wordpress.com/*<http://rmannibucau.wordpress.com/>
> *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> *Github: https://github.com/rmannibucau*
>
>
>
>
> 2012/10/6 Alex The Rocker <[hidden email]>
>
>> Hello,
>>
>> This is to continue the discussion started in users@ list around JIRA
>> improvement item https://issues.apache.org/jira/browse/TOMEE-450
>>
>> I'm a bit surprised by Romain's statement that TomEE is primarily used by
>> developers : I thought that in real world there are more app servers used
>> to deploy than to develop ; even if since TomEE is new it's not yet the
>> case.
>>
>> Any opinion?
>>
>> Alex
>>
Reply | Threaded
Open this post in threaded view
|

Re: TomEE should be secure by default and/or have profile management tool

Romain Manni-Bucau
The profile is good enough IMO.

If we make it secure by default it will be a pain in dev (and one reason to
not use it for me)

Security depends on if there is a httpd or not too...in real life it
shouldnt be an issue too much, no?
Le 8 oct. 2012 19:30, "Bjorn Danielsson" <[hidden email]>
a écrit :

> Just my opinion for whatever it's worth:
>
> As we all know, and as Romain explains quite clearly, there
> is a built-in conflict between what is most convenient for
> the developer and what is most convenient for the production
> people.
>
> I think all defaults *except* for security-impacting things
> should be chosen to make life easier for developers,
> not production people. But for anything security-related
> I suggest that the defaults should *always* be governed by
> the principle "secure out of the box".
>
> My reason is that there are (unfortunately) too many people out
> there who have very little clues about security, or who don't
> have any incentive to care about it. And as the popularity of
> TomEE grows, the impact of such people deploying TomEE will
> also grow. The consequences of that must be weighed against
> the inconvenience of the developer's need to relax the security
> settings.
>
> --
> Bjorn Danielsson
> Cuspy Code AB
>
>
> Romain Manni-Bucau <[hidden email]> wrote:
> > hmm that's not exactly what i said Alex :p
> >
> > on a project you generally have N (>5) developpers using the container to
> > develop (let say with tomee-maven-pugin or WTP or something else...)
> >
> > then when it is about production you have 2-3 people configuring the
> server
> > then it can be deployed in cluster automatically from the config.
> >
> > So my statement is the config work in dev is > the prod one
> >
> > So IMO it should work out of the box in dev then the prod should adapt
> the
> > conf. That's for instance what we do about datasources: we provide some
> > default datasources to let people use JPA out of the box then in
> production
> > you configure your real datasource, your pooling etc...
> >
> > Sorry if it was not clear.
> >
> > *Romain Manni-Bucau*
> > *Twitter: @rmannibucau <https://twitter.com/rmannibucau>*
> > *Blog: **http://rmannibucau.wordpress.com/*<
> http://rmannibucau.wordpress.com/>
> > *LinkedIn: **http://fr.linkedin.com/in/rmannibucau*
> > *Github: https://github.com/rmannibucau*
> >
> >
> >
> >
> > 2012/10/6 Alex The Rocker <[hidden email]>
> >
> >> Hello,
> >>
> >> This is to continue the discussion started in users@ list around JIRA
> >> improvement item https://issues.apache.org/jira/browse/TOMEE-450
> >>
> >> I'm a bit surprised by Romain's statement that TomEE is primarily used
> by
> >> developers : I thought that in real world there are more app servers
> used
> >> to deploy than to develop ; even if since TomEE is new it's not yet the
> >> case.
> >>
> >> Any opinion?
> >>
> >> Alex
> >>
>