tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Securing Tomcat Manager auth-method
Date Mon, 26 Sep 2011 15:30:01 GMT
Leo Donahue - PLANDEVX wrote:
> In light of the recent announcement, is securing Tomcat Manager with org.apache.catalina.valves.RemoteAddrValve
enough if we are using 127.0.0.1 or should I consider changing the manager auth-method from
BASIC to FORM and enable HTTPS as well?  Is running Tomcat as a Windows service considered
"insecure"?
> 
I must say that I fail to see the link with the recent announcement, which concerned only

DIGEST authentication.

If you already allow access to the Tomcat Manager only from "localhost", and presuming 
that only authorised people can access this host, and if in addition even ditto users from

localhost have to login (with some non-trivial userid and password), then that seems 
rather secure to me.

Of course if anyone can login to the Tomcat host, then you probably have other issues than

logging in to the Manager.

Similarly, running Tomcat as a Windows Service should be, if anything, more secure than 
running it in a command window, since presumably only some selected users are allowed to 
start/stop Windows services.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message