tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session
Date Fri, 19 Nov 2004 19:05:28 GMT
Jean-Francois Arcand wrote:

> It's not useless. Normal permissions are still turned on. It's only 
> the package protection that is disabled. When disabled, Tomcat 5 is as 
> unsecure as Tomcat 4 in term of sniffing/loading classes, but still 
> secure in term of browsing the file system etc.

Possibly. But I don't know what you can do with access to the Tomcat 
internals, and hacking the container is a bad security problem IMO. I 
don't see how you could want half assed security. Oh wait, there's 
Window$, so I guess there are takers ;)

BTW, Tomcat 4 did package protection.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message