tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: SECURITY breach in Tomcat
Date Wed, 28 Jan 2009 18:19:34 GMT
Hash: SHA1


Hubert de Heer wrote:
> If you really, really need the manager webapp, you can restrict access
> to that one not only by password but also by source-ip, e.g. access is
> only allowed from your office IP.
> In server.xml:
>         <Context path="/manager"
> docBase="${catalina.home}/server/webapps/manager" debug="0"
> privileged="true">
>           <Valve className="org.apache.catalina.valves.RemoteAddrValve"
> allow="<office_ip>"/>
>         </Context>

This is a really bad <Context> declaration for several reasons:

1a. It is defined in server.xml. The OP is using Tomcat 6.x. You aren't
    supposed to do this anymore - not since TC 5.5 at least.
1b. You are specifying the "path" to the application, which is a no-no
    these days. Tomcat can detect the deployment path of the application
    from the name of the directory (or WAR file or XML file).
2.  You are explicitly deploying a webapp from the webapps directory.
    Since Tomcat typically has autoDeploy="true", you'll end up
    deploying the application twice. This is confusing at best and
    insecure at the worst (because the "winning" deployment may not
    have that RemoteAddrValve configured).

To sum up, you should:

1. Use META-INF/context.xml if you want to use autoDeploy="true"
   to add your RemoteAddrFilter.

2. Use conf/[engine]/[host]/[appname].xml if you don't want to use
   autoDeploy="true" or if you want to deploy your application from
   somewhere other than the auto-deploy webapps directory.

3. Stop using "path" and "docBase".

Hope that helps,
- -chris

Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message