tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: Removing the examples (JSP/servlet) in TC Binaries
Date Mon, 09 Jul 2007 13:25:33 GMT
I'm not sure. They provide an easy entry point for people using Tomcat 
because it is so simple to just use them. There are a couple of choices:

- leave the examples in the download and take their security serious. 
This is what we do now.

- leave the examples in the download, but don't bother about their 
security, as long as they don't compromise the container security (e.g. 
don't bother about XSS issues for the example webapps).

- move the examples into a separate download, and add some notes about 
that to the docs. This will also be a better production setup, but 
people might miss the separate download.

- move the examples into a separate directory, so that they are not 
active by default. Add a note about how to activate them. Also a better 
production setup, but we'll get a lot of questions, why the examples do 
not work.

I think the real question is, should we still take security serious for 
the example webapps. If no, then we should decide, which way we disable 
them. I don't have a very strong opinion, because I don't feel fine by 
delivering insecure example webapps, even if they are disabled. How 
should people be made aware of security in webapps, if even our example 
webapps are unsafe.

On the other hand: do we think the status of the example webapps 
concerning security is OK now, or do we think they would need a thorough 



jean-frederic clere wrote:
> Hi,
> The examples (servlet and JSP) have caused a list of security issues.
> I think we should remove them from the Tomcat binary packages (6.0 and 
> 5.x at least).
> Any comments?
> Cheers
> Jean-Frederic

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message