tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Securing Tomcat Manager auth-method
Date Mon, 26 Sep 2011 19:59:16 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 9/26/2011 11:30 AM, André Warnier wrote:
> Leo Donahue - PLANDEVX wrote:
>> In light of the recent announcement, is securing Tomcat Manager
>> with org.apache.catalina.valves.RemoteAddrValve enough if we are
>> using 127.0.0.1 or should I consider changing the manager
>> auth-method from BASIC to FORM and enable HTTPS as well?  Is
>> running Tomcat as a Windows service considered "insecure"?
>> 
> I must say that I fail to see the link with the recent
> announcement, which concerned only DIGEST authentication.

+1

> Similarly, running Tomcat as a Windows Service should be, if
> anything, more secure than running it in a command window, since
> presumably only some selected users are allowed to start/stop
> Windows services.

+1

Also, running as a service typically runs with even fewer privileges
than a console user (no network-mapped volumes, etc.).

One could argue that running anything on Windows makes it less secure,
but that would be a cheap shot :)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6A2ZQACgkQ9CaO5/Lv0PDKXwCeO/IMZEsa7RyEwGS5F2KtTp6h
KAIAoMBmuFXiJZLwZbCZx63kRuTnICds
=fzai
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message