For all those interested in tightening tomcat security, there are some interesting advices from OWASP here http://www.owasp.org/index.php/Securing_tomcat
Yours, Marcus Milanez -----Mensagem original----- De: Milanez, Marcus [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 20 de agosto de 2007 09:21 Para: Tomcat Users List Assunto: RES: Resource Security Mark, First of all, let me thank you for your detailed response. This list contains lots of qualified people, and I'm really glad I'm part of it because I'm learning more and more everyday. All the reasons you mentioned are reasonable, but there are some pointes that makes me think a lot (and I must assume I don't have the right answers). Here they are: 1) Can I assume things in terms of security? For a matter of an example, should I always assume that the resources that my application access (like a database for example) doesn't need additional security, because it is hosted in a server, and if this so called server was attacked them worse things could actually happen? In this case, should I assume as a developer (not as a system admin), that my network is safe, that my web server is safe? 2) Whenever I think of security, I'm not only considering a hacker attack. In terms of security, is it right to delegate a web system administrator the right to know my application's database user and password? I know that security recommendations in database side tells us that an application users should only have access to what they need, in terms of commands, tables and so on, but again, should I always assume that as a developer? In my point of view, I think my application server should take care of all these issues for me... How? I don't know. In fact my only suggestion is: My app. Server should ask for a 'key' (besides the manager password) whenever I install a new application. This key could be used to encrypt all my application files, preventing anyone to open them. I know there are issues like 'Where should this key be stored?', 'Who should type this key ?' and I know that, but I can't find a good answer... I'm just exposing some ideas. Thank you all for your attention once more. This community is really great.. Yours, Marcus Milanez --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
