I noticed that too, though if you use a data_dir as described in http://docs.codehaus.org/display/GEOSDOC/4+GeoServer+Data+Directory and place it somewhere outside of your tomcat deployment directory, your user.properties file will be inaccessible. If you don’t remove the default data directory, the old user.properties file will still be accessible via the web, however it is safe to remove the directory.
Miles
-----Original Message-----
From: geoserver-users-bounces@lists.sourceforge.net [mailto:geoserver-users-bounces@lists.sourceforge.net] On Behalf Of Yang Zhaohui
Sent: Tuesday, 4 March 2008 2:12 PM
To: geoserver-users
Subject: [Geoserver-users] The security of the Geoserver 1.6.0 ? [Sec=Unclassified]Hello dear sir,
In Geoserver 1.6.0, I find a problem. We can see"The default is user=admin and password=geoserver. You can change these by editing GEOSERVER_DATA_DIR/security/users.properties; see Web Admin Tool Introduction for details."in the URL
“http://localhost:8080/geoserver60/admin/login.do”. I try to visit the “http://localhost:8080/geoserver60/data/security/users.properties”. To my surprise, it displays
“# This is the admnistrator (as well as whoever else has the ROLE_ADMINISTRATOR attached) admin=geoserver,ROLE_ADMINISTRATOR # These are sample users you may uncomment if you want to test locking down wfs (see service.properties) #wfst=wfst,ROLE_WFS_READ,ROLE_WFS_WRITE wfs=wfs,ROLE_WFS_READ”
So everyone know the usernames and passwords, and can visit the config page. Is it safe? Is there something wrong?
领海5月即将开盘!100-140?O阔水舒宅,海湾印象
Australian Antarctic Division - Commonwealth of Australia
IMPORTANT: This transmission is intended for the addressee only. If you are not the
intended recipient, you are notified that use or dissemination of this communication is
strictly prohibited by Commonwealth law. If you have received this transmission in error,
please notify the sender immediately by e-mail or by telephoning +61 3 6232 3209 and
DELETE the message.
Visit our web site at http://www.antarctica.gov.au/