db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Myrna van Lunteren" <m.v.lunte...@gmail.com>
Subject Re: [jira] Commented: (DERBY-1054) Starting Derby with the NetServlet inside of tomcat does not allow binding to non localhost interface.
Date Fri, 06 Apr 2007 03:07:58 GMT
On 4/5/07, Bryan Pendleton <bpendleton@amberpoint.com> wrote:
> Myrna van Lunteren wrote:
> > I don't think
> > there's much of any warning in or near the servlet re security issues.
> This is an excellent point. I think it would be good to add text
> such as the following in two places:
> 1) As XML comments in the web.xml file for the host init-param
> 2) In the NetServlet documentation in the manual.
> The text should be something like the following (taken from the
> Network Server page):
>       Remember: Before using the -h option, you should run under the
>       Java security manager and enable user authentication.
>       By default, the Network Server will listen to requests only on
>       the loopback address, which means that it will only accept
>       connections from the local host.
> Do you think that would address the security concern? The default
> for the NetServlet is still "localhost", so it is the same as for
> the other out-of-the-box ways to run the Network Server.
> thanks,
> bryan
I think that would be fine.


View raw message