tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cmanola...@yahoo.com
Subject RE: Tomcat Security Vulnerability
Date Fri, 06 Oct 2000 23:20:51 GMT
> > 3. In 3.3 - I'll just remove the exit and all "control" messages, and
> > leave the communication mechanism only for proxy-ing 
> > requests. The admin
> > interface will be used to stop tomcat and do any administrative tasks.
> > It's possible to automate this using HTTP requests with a 
> > password header.
> 
> Will this eliminate the possibility of ever letting Apache start and stop
> Tomcat of its own accord? I remember this feature has been talked about for
> a long time and AFAIK has not been implemented. Or is it not really
> important?

No, it would create the possibility to control tomcat with standard tools
- like a standard HTTP request ( with authentication ), maybe over SSL for
real sites. Anyway - standard tools.

This will be the same as NES and IIS ( both have web-based interfaces that
allow to control most functionality).

IMHO that is one _right_ solution - moving away from custom solutions and
using standard tools. There are other solutions ( like using JMX - if
someone has time to backport that ).

Costin


Mime
View raw message