Remy Maucherat wrote:
Jean-Francois Arcand wrote:
Actually, my next steps is to allows empty field in catalina.properties, which will disable the mechanism (next commit :-)). Right now you can only disable the mechanism by removing the catalina.properties or if you use the Embedded interfance.
By default I still want to keep Tomcat as secure as possible, but leave the door open for disabling the mechanism. As an example, when Tomcat gets benchmarked against other unsecure container with security turned on, people will think Tomcat is slower, which is not right.
I don't understand. This configuration will make security useless, so what's the point ? Why not just disable security if it's going to be useless ?
It's not useless. Normal permissions are still turned on. It's only the package protection that is disabled. When disabled, Tomcat 5 is as unsecure as Tomcat 4 in term of sniffing/loading classes, but still secure in term of browsing the file system etc.
-- Jeanfrancois
Rémy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
