tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <>
Subject RE: [PATCH]Virtual Host Choice on HTML Manager
Date Mon, 05 Jan 2004 19:58:13 GMT

I too have a security problem with this patch as-is.  This is why we have extension in java
and support for it in tomcat ;)

Yoav Shapira
Millennium ChemInformatics

>-----Original Message-----
>From: Remy Maucherat []
>Sent: Monday, January 05, 2004 2:57 PM
>To: Tomcat Developers List
>Subject: Re: [PATCH]Virtual Host Choice on HTML Manager
>Glenn Nielsen wrote:
>> This breaks security for virtual hosting by allowing anyone who can
>> authenticate to use the manager to manage all virtual hosts.
>> Though this may be easier for you it prevents me from administering
>> a Tomcat server where multiple virtual hosta are managed by different
>> customers.
>> Therfor I am -1 for applying this patch.
>> An acceptable patch would be to extend the existing manager class with
>> a new class which implements this "feature".  Then those administering
>> Tomcat can choose which version of the manager they want to install.
>I agree with this.
>Is one manager per vhost really too much to ask ? (since different
>principals will be needed in many situations)
>There are a use cases for the feature, of course, so I'm ok with having
>an extension class that could replace the default manager servlet.
>To unsubscribe, e-mail:
>For additional commands, e-mail:

This e-mail, including any attachments, is a confidential business communication, and may
contain information that is confidential, proprietary and/or privileged.  This e-mail is intended
only for the individual(s) to whom it is addressed, and may not be saved, copied, printed,
disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender.  Thank you.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message