tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <r...@apache.org>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core StandardContext.java
Date Mon, 16 Jun 2003 12:50:51 GMT
Glenn Nielsen wrote:
> remm@apache.org wrote:
> 
>> remm        2003/06/15 06:10:41
>>
>>   Modified:    catalina/src/share/org/apache/catalina/core
>>                         StandardContext.java
>>   Log:
>>   - Move context descriptors to
>>     $CATALINA_BASE/conf/<engine name>/<host name>, as proposed by Glenn.
>>   - This should make the feature secure, and I think there's no 
>> justification
>>     anymore for the deployXML flag.
>>   - Note: The manager webapp may need a few updates, which are in 
>> progress.
>>   
> 
> 
> I haven't had a chance to review the code yet. I have a question about 
> removing the
> deployXML flag.  In your redesign will the ability to install a 
> {context}.xml file
> using an ant task or the web application manager still be available?  If 
> so, then
> for security the deployXML flag would still be needed.

Only the location of the XML context descriptors changes. That still 
allows defining stuff which goes in server.xml using the manager, and is 
"as dangerous" (IMO) as the admin webapp.
So that does give a good reason to keep the flag in :) I wasn't too sure 
about the change, so that's why I had left the flag in.

OTOH, the feature is a little bit better now, since you can allow your 
users to write to the webapps folder to easily deploy their webapps, and 
they (hopefully) won't be able to hack the container.

BTW, there's some stuff I didn't retest, in addition to the two known 
issues I mentioned (the WAR locking could be caused by fileupload, and 
is worth investigating IMO), including deploying XML descriptors from 
themanager.

Remy


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message