tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jfarc...@apache.org>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java
Date Fri, 19 Nov 2004 18:03:45 GMT


Remy Maucherat wrote:
> Jean-Francois Arcand wrote:
> 
>> Actually, my next steps is to allows empty field in 
>> catalina.properties, which will disable the mechanism (next commit 
>> :-)). Right now you can only disable the mechanism by removing the 
>> catalina.properties or if you use the Embedded interfance.
>>
>> By default I still want to keep Tomcat as secure as possible, but 
>> leave the door open for disabling the mechanism. As an example, when 
>> Tomcat gets benchmarked against other unsecure container with security 
>> turned on, people will think Tomcat is slower, which is not right.
> 
> 
> I don't understand. This configuration will make security useless, so 
> what's the point ? Why not just disable security if it's going to be 
> useless ?

It's not useless. Normal permissions are still turned on. It's only the 
package protection that is disabled. When disabled, Tomcat 5 is as 
unsecure as Tomcat 4 in term of sniffing/loading classes, but still 
secure in term of browsing the file system etc.

-- Jeanfrancois


> 
> Rémy
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message