[EMAIL PROTECTED] wrote:
remm 2003/06/15 06:10:41
Modified: catalina/src/share/org/apache/catalina/core
StandardContext.java
Log:
- Move context descriptors to
$CATALINA_BASE/conf/<engine name>/<host name>, as proposed by Glenn.
- This should make the feature secure, and I think there's no justification
anymore for the deployXML flag.
- Note: The manager webapp may need a few updates, which are in progress.
I haven't had a chance to review the code yet. I have a question about removing the
deployXML flag. In your redesign will the ability to install a {context}.xml file
using an ant task or the web application manager still be available? If so, then
for security the deployXML flag would still be needed.
Only the location of the XML context descriptors changes. That still allows defining stuff which goes in server.xml using the manager, and is "as dangerous" (IMO) as the admin webapp.
So that does give a good reason to keep the flag in :) I wasn't too sure about the change, so that's why I had left the flag in.
OTOH, the feature is a little bit better now, since you can allow your users to write to the webapps folder to easily deploy their webapps, and they (hopefully) won't be able to hack the container.
BTW, there's some stuff I didn't retest, in addition to the two known issues I mentioned (the WAR locking could be caused by fileupload, and is worth investigating IMO), including deploying XML descriptors from themanager.
Remy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
