tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1022441 - in /tomcat/trunk/webapps: docs/manager-howto.xml host-manager/401.jsp host-manager/403.jsp manager/401.jsp manager/403.jsp
Date Thu, 14 Oct 2010 09:22:55 GMT
Author: markt
Date: Thu Oct 14 09:22:54 2010
New Revision: 1022441

URL: http://svn.apache.org/viewvc?rev=1022441&view=rev
Log:
Add some more info on CSRF protection for the manager and host manager applications

Modified:
    tomcat/trunk/webapps/docs/manager-howto.xml
    tomcat/trunk/webapps/host-manager/401.jsp
    tomcat/trunk/webapps/host-manager/403.jsp
    tomcat/trunk/webapps/manager/401.jsp
    tomcat/trunk/webapps/manager/403.jsp

Modified: tomcat/trunk/webapps/docs/manager-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/manager-howto.xml?rev=1022441&r1=1022440&r2=1022441&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/manager-howto.xml (original)
+++ tomcat/trunk/webapps/docs/manager-howto.xml Thu Oct 14 09:22:54 2010
@@ -169,6 +169,18 @@ an example of restricting access to the 
                 allow="127\.0\.0\.1"/>
 </Context>
 </pre>
+
+<p>The HTML interface is protected against CSRF but the text and JMX interfaces
+are not. To maintain the CSRF protection:</p>
+    
+<ul>
+  <li>users with the <tt>manager-gui</tt> role should not be granted either
the
+      <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+  <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+      testing since these interfaces are intended for tools not humans) then the
+      browser must be closed afterwards to terminate the session.</li>
+</ul>
+
 </section>
 
 

Modified: tomcat/trunk/webapps/host-manager/401.jsp
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/host-manager/401.jsp?rev=1022441&r1=1022440&r2=1022441&view=diff
==============================================================================
--- tomcat/trunk/webapps/host-manager/401.jsp (original)
+++ tomcat/trunk/webapps/host-manager/401.jsp Thu Oct 14 09:22:54 2010
@@ -54,9 +54,20 @@
     the functionality you wish to access.
    </p>
     <ul>
-      <li><tt>admin</tt> - allows access to the HTML GUI</li>
+      <li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
       <li><tt>admin-script</tt> - allows access to the text interface</li>
     </ul>
+   <p>
+    The HTML interface is protected against CSRF but the text interface is not.
+    To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>users with the <tt>admin-gui</tt> role should not be granted the
+       <tt>manager-script</tt> role.</li>
+    <li>if the text interface is accessed through a browser (e.g. for testing
+        since this interfaces is intended for tools not humans) then the browser
+        must be closed afterwards to terminate the session.</li>
+   </ul>
  </body>
 
 </html>

Modified: tomcat/trunk/webapps/host-manager/403.jsp
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/host-manager/403.jsp?rev=1022441&r1=1022440&r2=1022441&view=diff
==============================================================================
--- tomcat/trunk/webapps/host-manager/403.jsp (original)
+++ tomcat/trunk/webapps/host-manager/403.jsp Thu Oct 14 09:22:54 2010
@@ -71,6 +71,17 @@
       <li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
       <li><tt>admin-script</tt> - allows access to the text interface</li>
     </ul>
+   <p>
+    The HTML interface is protected against CSRF but the text interface is not.
+    To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>users with the <tt>admin-gui</tt> role should not be granted the
+       <tt>manager-script</tt> role.</li>
+    <li>if the text interface is accessed through a browser (e.g. for testing
+        since this interfaces is intended for tools not humans) then the browser
+        must be closed afterwards to terminate the session.</li>
+   </ul>
  </body>
 
 </html>

Modified: tomcat/trunk/webapps/manager/401.jsp
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/manager/401.jsp?rev=1022441&r1=1022440&r2=1022441&view=diff
==============================================================================
--- tomcat/trunk/webapps/manager/401.jsp (original)
+++ tomcat/trunk/webapps/manager/401.jsp Thu Oct 14 09:22:54 2010
@@ -63,6 +63,17 @@
       <li><tt>manager-status</tt> - allows access to the status pages only</li>
     </ul>
    <p>
+    The HTML interface is protected against CSRF but the text and JMX interfaces
+    are not. To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>users with the <tt>manager-gui</tt> role should not be granted
either
+        the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+    <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+         testing since these interfaces are intended for tools not humans) then
+         the browser must be closed afterwards to terminate the session.</li>
+   </ul>
+   <p>
     For more information - please see the
     <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
    </p>

Modified: tomcat/trunk/webapps/manager/403.jsp
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/manager/403.jsp?rev=1022441&r1=1022440&r2=1022441&view=diff
==============================================================================
--- tomcat/trunk/webapps/manager/403.jsp (original)
+++ tomcat/trunk/webapps/manager/403.jsp Thu Oct 14 09:22:54 2010
@@ -78,6 +78,17 @@
       <li><tt>manager-status</tt> - allows access to the status pages only</li>
     </ul>
    <p>
+    The HTML interface is protected against CSRF but the text and JMX interfaces
+    are not. To maintain the CSRF protection:
+   </p>
+   <ul>
+    <li>users with the <tt>manager-gui</tt> role should not be granted
either
+        the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+    <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+         testing since these interfaces are intended for tools not humans) then
+         the browser must be closed afterwards to terminate the session.</li>
+   </ul>
+   <p>
     For more information - please see the
     <a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
    </p>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message