-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris,
On 5/4/2009 7:31 PM, Chris Brookes wrote: > Yeah the OWASP guide was pretty good, there was one there for Tomcat > 5.5, that was part of the base for my guide along with a couple of > other key resources The DISA Tomcat checklist titled "Web Checklist > Tomcat Version 6 Release 1.5" at > http://iase.disa.mil/stigs/checklist/ was also pretty good. I didn't read that DISA stuff in too much detail but it seemed worthless to me. <shrug> > As far as enabling security manager is concerned, my guide does say > that the rules in catalina.policy need to be assessed against the > business requirements of the application and that the default > catalina.policy provides limited protection which needs to be > assessed on an application by application basis. Actually, the default /allowances/ are exceedingly limited. Try turning on the security manager and see how much of your stuff breaks. Basically, nothing works if you just enable the security manager right out of the box. That's a good thing: you should be extremely limited unless you specifically make allowances for certain things. I think you have your logic wrong on this one. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoAX/EACgkQ9CaO5/Lv0PAdRACcCQhhc686OUZT0R2PTROimcEi iTAAnjxTAAC/MOrb1GBUJSRfrdhk6VP1 =kExn -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
