tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Tomcat Security Vulnerability
Date Mon, 09 Oct 2000 17:36:51 GMT
> > mod_jserv is not the problem. It HAS security mechanisms (see
> > ApJServSecretKey). It is the Tomcat interface to mod_jserv that is
> > lacking in security features.
> Then please send a patch that implements any security feature you
> would like !

I don't want this to sound too bad -  tomcat is the result of many
individuals contributing code they feel it's needed. I contributed the
original implementation of Ajp12 for tomcat, and my goal was to make it
easy for people to transition from jserv2.0 to tomcat. In my experience
with web servers I haven't met too many production sites without a
firewall ( and tomcat3.0 and before used a simple RMI mechanism that had
no extra password ) 

I personally believe that a firewall and/or IP-level rules are the best
solution to allow/deny access to a certain port. I may be wrong, and it's
clear other people have different opinions - but that's my experience and
what I think. 


View raw message