tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephan Schöffel <stephan.schoef...@gmx.net>
Subject Re: disable war deployment
Date Wed, 03 Jan 2007 13:04:37 GMT
i know this solution is anything but not secure. but the main point iin 
doing this is a juristic question. if someone is able to put a war file 
into the tomcat installed to your computer he can do probably anything 
he wants to your computer. but if he is able to do so, this security 
break is not the concern of me anymore, but the user's of this machine.


Gregor Schneider wrote:

> Hi Stephan,
>
> well, that's awkward.
>
> Even if you are able to disable automatic deployment, anybody knowing
> his ways around Tomcat will be able to change the settings again thus
> make Tomcat load the other apps :(
>
> my idea would be to write a valve checking which apps are installed:
> If any other then your delivered apps are installed, Tomcat is
> forwarding the request to a customized error-page.
>
> however, even this solution will not prevent anybody from tampering.
>
> HTH
>
> Greg



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message