Hello, I'm migrating existing applications to Tomcat and setting Tomcat up as described in the 'Security Configuration Benchmark for Apache Tomcat 5.5/6.0' of the Center of Internet Security.
The benchmark recommends enabling the Security Manager. However, I'm experiencing that none of the apps run 'out of the box' with the Security Manager enabled. I'm contemplating not activating it, but find it hard estimate the risk. Our Security department is worried that without the Security Manager enabled, hackers can gain access to restricted packages, take control over Tomcat and 'hop' to other applications and machines (so basically this would imply activating the Security Manager for all applications). My question is: how secure is Tomcat without the Security Manager enabled (assuming other points from the CIS benchmark have been implemented). Is the Security Manager the guard against 'hopping' to other applications, or does Tomcat without the Security Manager already prevent this? Regards, Jan-Willem -- View this message in context: http://old.nabble.com/Tomcat-6%3A-what-are-the-risks-of-not-using-Security-Manager-tp32973301p32973301.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
