tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amy Roh <amy...@apache.org>
Subject Re: cvs commit: jakarta-tomcat-4.0/webapps/admin/WEB-INF/classes/org/apache/webapp/admin/valve RemoteAddrValveForm.java RemoteHostValveForm.java ValveUtil.java
Date Tue, 11 Feb 2003 18:55:57 GMT
Remy Maucherat wrote:
> amyroh@apache.org wrote:
> 
>> amyroh      2003/02/10 18:27:15
>>
>>   Modified:    webapps/admin build.xml
>>                webapps/admin/WEB-INF/classes/org/apache/webapp/admin
>>                         ApplicationResources_en.properties
>>                         ApplicationResources_es.properties
>>                
>> webapps/admin/WEB-INF/classes/org/apache/webapp/admin/valve
>>                         RemoteAddrValveForm.java RemoteHostValveForm.java
>>                         ValveUtil.java
>>   Log:
>>   Add validation for RemoteAddrValve and  RemoteHostValve to prevent
>>   installing a filter that prevents the admin's own access.
> 
> 
> I don't understand what this does over the stanadard remote host/addr 
> valves.
> If the maintainer of server.xml wishes to deny access to the "admin", 
> then he has the right to do so IMO. I don't agree with forcing the 
> localhost to have access, essentially. I may have an idea of where this 
> new "feature" is coming from ;-)

If the maintainer of server.xml or tomcat wishes to deny access to the 
"admin", he can surely do so by editing server.xml and is recommended to 
do so if that's what he desires.  This patch doesn't prevent that 
availability.  This patch only adds validation in admin to prevent the 
admin to crash because if the user, who doesn't have better idea how 
these filters work, just create these filters that deny access to its 
own admin while running admin will cause the whole admin to crash.  Just 
try adding these valves with deny attribute "127.0.0.1", the whole admin 
will crash before this patch.  Again, this is just a validation of 
inputs that will have admin continue to work instead of limiting these 
filters usage.  Also note that you can still create these filters to 
prevent admin access from other ip addresses or host other than admin's 
own ip and host.

Amy

> 
> I'll have to veto this patch unless there is a real justification for 
> it, other than (apparently) imaginary usability concerns (I will not 
> integrate this patch in 4.1.20).
> 
> Remy
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message