tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Delbecq <de...@oma.be>
Subject Re: disable war deployment
Date Wed, 03 Jan 2007 13:09:30 GMT
What is your juridic requirement exactly? That owner can not inject code
in your webapp?
En l'instant précis du 01/03/07 14:04, Stephan Schöffel s'exprimait dans
toute sa noblesse:
> i know this solution is anything but not secure. but the main point
> iin doing this is a juristic question. if someone is able to put a war
> file into the tomcat installed to your computer he can do probably
> anything he wants to your computer. but if he is able to do so, this
> security break is not the concern of me anymore, but the user's of
> this machine.
>
>
> Gregor Schneider wrote:
>
>> Hi Stephan,
>>
>> well, that's awkward.
>>
>> Even if you are able to disable automatic deployment, anybody knowing
>> his ways around Tomcat will be able to change the settings again thus
>> make Tomcat load the other apps :(
>>
>> my idea would be to write a valve checking which apps are installed:
>> If any other then your delivered apps are installed, Tomcat is
>> forwarding the request to a customized error-page.
>>
>> however, even this solution will not prevent anybody from tampering.
>>
>> HTH
>>
>> Greg
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message