Ignoring web application code, what you say below is true. However the introduction of a new webapp introduces new potential risks that must be evaluated and reviewed. The servlet code itself can potentially read any resource available to tomcat within the system. I would recommend a combination of reviewing/testing the web application code and running with a security manager turned on to limit exposure of the tomcat-users.xml file. Essentially only the core tomcat code and possibly the admin webapp needs ever be able to read that info.

--David

Chris Pat wrote:

Hello
If I have changed the default admin & manager
passwords and have a personal firewall preventing
anything other than http & http:8080 access, is it
still possible for people to view the tomcat-users.xml
file?  With only those two protocols open (plus udp 53
for dns)it should be impossible. What is the best practice for running TC "hardened"? Run it as a seperate user with read only? To
implement jaas/how?  Any recommendations, url would be
appreciated.  tia.




        
                
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to