tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: Removing the examples (JSP/servlet) in TC Binaries
Date Mon, 09 Jul 2007 16:54:22 GMT
Rainer Jung wrote:
> I'm not sure. They provide an easy entry point for people using Tomcat
> because it is so simple to just use them. There are a couple of choices:
> - leave the examples in the download and take their security serious.
> This is what we do now.

good choice...

> - leave the examples in the download, but don't bother about their
> security, as long as they don't compromise the container security (e.g.
> don't bother about XSS issues for the example webapps).

good choice, *if* you set up only a localhost endpoint and clearly document
that the examples are only that, and open to XSS and other issues.

> - move the examples into a separate directory, so that they are not
> active by default. Add a note about how to activate them. Also a better
> production setup, but we'll get a lot of questions, why the examples do
> not work.

I guess thats what I was thinking of above.

> I think the real question is, should we still take security serious for
> the example webapps. If no, then we should decide, which way we disable
> them. I don't have a very strong opinion, because I don't feel fine by
> delivering insecure example webapps, even if they are disabled. How
> should people be made aware of security in webapps, if even our example
> webapps are unsafe.

The arguement is that some authors start with the examples.  If they are
riddled with XSS exploits, their derivative code will also be abusable.

It's nice if *someone* provides good reference examples; consider the mess
in PHP development-by-example that's left the web in a half-usable state.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message