tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Big security problem with Admin context in Tomcat?
Date Tue, 25 Jul 2000 03:40:21 GMT
Costin Manolache wrote:

> Admin should be disable by default, I'll fix that.
> ( or at least require auth - but not with the default pass )
> Costin


Trying to set trusted="false" in the <Context> entry for the admin application
does not have any effect (other than the fact that a complaint about "Illegal
access to internal attribute" gets logged).  The facade manager still lets you
add and delete contexts.  There is also still no authentication protection, and
no apparent way to disable this app without removing it from the
$TOMCAT_HOME/webapps directory entirely.

Please fix it (as you promised) so that the Admin app is disabled by default,
but can be enabled by changing something in server.xml.


View raw message