tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: can't connect to manager application
Date Sun, 20 Oct 2013 19:09:10 GMT
2013/10/20 Christopher Schultz <chris@christopherschultz.net>:
> Edoardo,
>
> On 10/18/13 6:03 PM, Edoardo Panfili wrote:
>> Il 17/10/13 18:45, Edoardo Panfili ha scritto:
>
> I'll bet the problem is that Tomcat doesn't like applications
> declaring themselves to be privileged="true". The first time Tomcat is
> started, META-INF/context.xml from the Manager is copied into
> conf/Catalina/localhost/manager.xml where the privileged="true" is
> preserved. With deployXML="false", this file is not copied and so
> META-INF/context.xml is used instead. Tomcat maybe doesn't allow
> META-INF/context.xml to contain privileged="true".
>
> (Of course, Tomcat seems perfectly happy to copy META-INF/context.xml
> into conf/Catalina/localhost/manager.xml and *then* permit
> privileged="true" so my premise is a bit shaky).
>

Copying is controlled by "copyXML" attribute.

The meaning of deployXML="false" is that Tomcat ignores
META-INF/context.xml files bundled with web applications  and honors
only those there were explicitly (manually) configured by
Administrator in the conf directory of the server.

(Thus you have better control over deployed applications, but with
more work to configure them.)

deployXML="false" and running with SecurityManager are usually used together.

If you omit the latter, a rogue web application can reconfigure Tomcat
via reflection.

If you omit the former, an application can be configured via
context.xml so that it bypasses some crucial security restrictions.


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message