Howdy, I too have a security problem with this patch as-is. This is why we have extension in java and support for it in tomcat ;)
Yoav Shapira Millennium ChemInformatics >-----Original Message----- >From: Remy Maucherat [mailto:[EMAIL PROTECTED] >Sent: Monday, January 05, 2004 2:57 PM >To: Tomcat Developers List >Subject: Re: [PATCH]Virtual Host Choice on HTML Manager > >Glenn Nielsen wrote: >> This breaks security for virtual hosting by allowing anyone who can >> authenticate to use the manager to manage all virtual hosts. >> Though this may be easier for you it prevents me from administering >> a Tomcat server where multiple virtual hosta are managed by different >> customers. >> >> Therfor I am -1 for applying this patch. >> >> An acceptable patch would be to extend the existing manager class with >> a new class which implements this "feature". Then those administering >> Tomcat can choose which version of the manager they want to install. > >I agree with this. >Is one manager per vhost really too much to ask ? (since different >principals will be needed in many situations) > >There are a use cases for the feature, of course, so I'm ok with having >an extension class that could replace the default manager servlet. > >Rémy > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
