Myrna van Lunteren wrote:
I don't think
there's much of any warning in or near the servlet re security issues.
This is an excellent point. I think it would be good to add text
such as the following in two places:
1) As XML comments in the web.xml file for the host init-param
2) In the NetServlet documentation in the manual.
The text should be something like the following (taken from the
Network Server page):
Remember: Before using the -h option, you should run under the
Java security manager and enable user authentication.
By default, the Network Server will listen to requests only on
the loopback address, which means that it will only accept
connections from the local host.
Do you think that would address the security concern? The default
for the NetServlet is still "localhost", so it is the same as for
the other out-of-the-box ways to run the Network Server.
thanks,
bryan
