Ignoring web application code, what you say below is true.
However the introduction of a new webapp introduces new potential risks
that must be evaluated and reviewed. The servlet code itself can
potentially read any resource available to tomcat within the system.
I would recommend a combination of reviewing/testing the web application
code and running with a security manager turned on to limit exposure of
the tomcat-users.xml file. Essentially only the core tomcat code and
possibly the admin webapp needs ever be able to read that info.
--David
Chris Pat wrote:
Hello
If I have changed the default admin & manager
passwords and have a personal firewall preventing
anything other than http & http:8080 access, is it
still possible for people to view the tomcat-users.xml
file? With only those two protocols open (plus udp 53
for dns)it should be impossible.
What is the best practice for running TC "hardened"?
Run it as a seperate user with read only? To
implement jaas/how? Any recommendations, url would be
appreciated. tia.
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
