tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Tomcat HeapMemoryUsage MBean question
Date Fri, 07 Sep 2012 20:29:08 GMT
2012/9/7 Shanti Suresh <shanti@umich.edu>:
> Hi Christopher, Hi Konstantin,
>
> On Fri, Sep 7, 2012 at 1:54 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>>
>> I personally think that's a bad idea: just set some simple username
>> and password and have your client use it: any decent command-line HTTP
>> client should support HTTP BASIC authentication.
>>
>
> Sure.  I can do that.  It just leaves the set operations vulnerable too
> though.  I can use digested passwords too, but still my scripts will need
> to be hard-coded with the password.
>
>
>>
>> That's good.
>>
>> Sure :-)  Thanks.
>
>
>>
>> Log it as an enhancement request in Bugzilla. I proposed this kind of
>> thing a few months ago though I can't seem to find the thread at the
>> moment. It was mildly rejected due to lack of interest, but but it
>> seems we have a real use-case where a user wants this capability.
>>
>
> Oh, most certainly, there is a definite use-case for this feature.  And
> others will use it heavily once you have the capability.  It just doesn't
> seem like a good plan to have the get and set secured the same way.
>

With "get" you can view someone's password.
With "set" you can change it, or change assigned roles.

(with certain Realm implementations).

There is not much difference.  I think allowing generic "get" or
generic "set" is a bad idea.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message