tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: CSRF prevention filter and Tomcat 5/6
Date Mon, 10 May 2010 11:25:13 GMT
2010/5/7 Mark Thomas <markt@apache.org>:
> I'm trying to decide the best way to back-port the configuration of this to
> the (Host) Manager app in Tomcat 5 & 6.
>
> The requirements are:
> - not to break anything that currently works
> - enable CSRF for the HTML interface
> - the same user cannot have access to the HTML and text interfaces for the
> filter to be effective.
>
> I can't see a way to meet all of these.
>
> The options I am considering are:
> A: change the role required to access the text interface to manager-text
>   - consistent with Tomcat 7
>   - will break tools currently using the manager role
>
> B: comment out the mapping for the test interface
>   - will break tools currently using the text interface
>
> C: change the role required to access the HTML interface
>   - not consistent with Tomcat 7
>   - will break user access to the Manager GUI
>
> D: Don't enable the filter by default but provide instructions on what to do
> if you do want to enable it in the docs. Something along the lines of:
> - uncomment the Filter and filter mapping
> - change the role used for the text and jmx interfaces (to match the new
> names in Tomcat 7)
>
> I am currently leaning towards D along with some changes to the web.xml
> files that won't change current behaviour but will make it simpler to add
> the CSRF filter.
>
> Thoughts?
>

It is possible to combine A+C:

E. Use a different name for the new role that allows access to GUI
interface only,
"manager-gui", as well as new "manager-script", "manager-jmx", "manager-status".

We can even rename "manager" -> "manager-gui" in Tomcat 7.

The "manager" role is preserved as is, but is documented as
"deprecated" and is no longer recommended for use.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message