tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Tomcat 3.2
Date Wed, 26 Jul 2000 17:57:44 GMT
> That leaves the snoop.jsp bug and the admin context insecurity.  The
> admin.war could just be distributed in a different location and we put

I think I resovled admin context - even if it is loaded, the admin must
edit server.xml and turn "trusted" to "true" ( the default is false ).

Without this flag the admin can't access tomcat internals and can't do
anything wrong ( it's a bit ugly - since it can't get the internal Context
it will display a NPE ).

I also added a security constraint requiring "admin" role to access the
admin app.  The server admin must edit tomcat-users and add a user/pass
that have admin role in order for admin app to work.

I think it's enough for now, probably we need to document this ( in the
FAQ or in admin index.html )

I don't remember what was the problem with snoop.jsp - but regarding stack
traces there are many other servlet engines showing stack traces on error. 
We do need a solution, but probably tomcat 3.3 is the best place to
implement it.


View raw message