cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vadim Gritsenko" <vadim.gritse...@verizon.net>
Subject RE: Security in cocoon.xconf?
Date Tue, 02 Jul 2002 14:04:50 GMT
Alban,


> > Move cocoon.xconf to WEB-INF/cocoon.xconf, as in latest
> > Cocoon versions. This is a bit more secure location then before.
>
> I don't quite understand how it helps? 

You get more secure installation.


> Having cocoon.xconf in the cocoon is insecure?

Define 'insecure'.


> Some explanations
> would be greatly appreciated because I need to evaluate the
> security issue of cocoon before spending a full development
> effort in cocoon.

1. When cocoon.xconf is directly under webapp, security of the
cocoon.xconf is highly dependent on (known or not) vulnerabilities of
the servlet container.

2. When cocoon.xconf is under WEB-INF, security of the cocoon.xconf is
still highly dependent on (known or not) vulnerabilities of the servlet
container. But, in this case, Servlet specification (IIRC) explicitly
states that these files must not be exposed by the servlet container.

I can't explain clearer than this, please refer to servlet spec and your
servlet container's security guide.

PS I will CC users list, this might be of interest to someone else. Or,
someone else may want to express his opinion and/or experience.


Vadim



-----Original Message-----
From: Tsui, Alban [mailto:Alban.Tsui@COGNOS.com] 
Sent: Tuesday, July 02, 2002 9:44 AM
To: vadim.gritsenko@verizon.net
Subject: RE: Security in cocoon.xconf?

Hi Vadim, 
The following is your reply to my original email at the forum: 
> Move cocoon.xconf to WEB-INF/cocoon.xconf, as in latest Cocoon
versions. This is a bit more secure location then before. Vadim 
I don't quite understand how it helps? Having cocoon.xconf in the cocoon
is insecure? Some explanations would be greatly appreciated because I
need to evaluate the security issue of cocoon before spending a full
development effort in cocoon.
Thanks in advance. 
Alban 




---------------------------------------------------------------------
Please check that your question  has not already been answered in the
FAQ before posting.     <http://xml.apache.org/cocoon/faq/index.html>

To unsubscribe, e-mail:     <cocoon-users-unsubscribe@xml.apache.org>
For additional commands, e-mail:   <cocoon-users-help@xml.apache.org>


Mime
View raw message