db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Myrna van Lunteren" <m.v.lunte...@gmail.com>
Subject Re: [jira] Commented: (DERBY-1054) Starting Derby with the NetServlet inside of tomcat does not allow binding to non localhost interface.
Date Fri, 06 Apr 2007 02:27:12 GMT
On 4/5/07, Bryan Pendleton <bpendleton@amberpoint.com> wrote:
> Thanks for the comments, Myrna!
>
> > I am also wondering if allowing remote servers to get started - and
> > stopped - would pose a security risk. Unless the app server is started
> > with security manager, I guess.
>
> Do you think that allowing the hostname value to be set in the web.xml
> makes the security risk worse?

Well, currently you can't use the servlet that way...I don't think it
matters much, but (and please correct me if I'm wrong) I don't think
there's much of any warning in or near the servlet re security issues.
>
> > I admit, I always interpreted the servlet more in the line of a demo
> > than a heavy-weight tool.
>
> Yes, I agree. I take your meaning to be that, since NetServlet.java uses
> public APIs of the NetworkServerControl class, anyone who wanted a more
> capable and/or secure implementation could build their own servlet code,
> using the NetServlet.java code as a starting point. Is that what you meant?
>

Yes, that's exactly what I meant.
Of course, interesting improvements would be welcomed...:-)

Myrna

Mime
View raw message