tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session
Date Fri, 19 Nov 2004 18:03:45 GMT

Remy Maucherat wrote:
> Jean-Francois Arcand wrote:
>> Actually, my next steps is to allows empty field in 
>>, which will disable the mechanism (next commit 
>> :-)). Right now you can only disable the mechanism by removing the 
>> or if you use the Embedded interfance.
>> By default I still want to keep Tomcat as secure as possible, but 
>> leave the door open for disabling the mechanism. As an example, when 
>> Tomcat gets benchmarked against other unsecure container with security 
>> turned on, people will think Tomcat is slower, which is not right.
> I don't understand. This configuration will make security useless, so 
> what's the point ? Why not just disable security if it's going to be 
> useless ?

It's not useless. Normal permissions are still turned on. It's only the 
package protection that is disabled. When disabled, Tomcat 5 is as 
unsecure as Tomcat 4 in term of sniffing/loading classes, but still 
secure in term of browsing the file system etc.

-- Jeanfrancois

> Rémy
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message