db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Pendleton <bpendle...@amberpoint.com>
Subject Re: [jira] Commented: (DERBY-1054) Starting Derby with the NetServlet inside of tomcat does not allow binding to non localhost interface.
Date Fri, 06 Apr 2007 02:45:07 GMT
Myrna van Lunteren wrote:
> I don't think
> there's much of any warning in or near the servlet re security issues.

This is an excellent point. I think it would be good to add text
such as the following in two places:
1) As XML comments in the web.xml file for the host init-param
2) In the NetServlet documentation in the manual.

The text should be something like the following (taken from the
Network Server page):

       Remember: Before using the -h option, you should run under the
       Java security manager and enable user authentication.

       By default, the Network Server will listen to requests only on
       the loopback address, which means that it will only accept
       connections from the local host.

Do you think that would address the security concern? The default
for the NetServlet is still "localhost", so it is the same as for
the other out-of-the-box ways to run the Network Server.

thanks,

bryan




Mime
View raw message