Leo Donahue - PLANDEVX wrote:
In light of the recent announcement, is securing Tomcat Manager with
org.apache.catalina.valves.RemoteAddrValve enough if we are using 127.0.0.1 or should I
consider changing the manager auth-method from BASIC to FORM and enable HTTPS as well?
Is running Tomcat as a Windows service considered "insecure"?
I must say that I fail to see the link with the recent announcement, which concerned only
DIGEST authentication.
If you already allow access to the Tomcat Manager only from "localhost", and presuming
that only authorised people can access this host, and if in addition even ditto users from
localhost have to login (with some non-trivial userid and password), then that seems
rather secure to me.
Of course if anyone can login to the Tomcat host, then you probably have other issues than
logging in to the Manager.
Similarly, running Tomcat as a Windows Service should be, if anything, more secure than
running it in a command window, since presumably only some selected users are allowed to
start/stop Windows services.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
