-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
Thanks for the review. On 2/11/19 15:24, Mark Thomas wrote: > On 11/02/2019 19:53, Christopher Schultz wrote: >> https://people.apache.org/~schultz/Apache%20RoadShow%20DC%202019/Lock ing >> >> >> - -Down%20Apache%20Tomcat_outline.pdf > > s/Default credentials/No default credentials/ That will be the point of this part: Tomcat has *zero* default credentials. I'm happy to re-name that part of the outline, but of course the content won't really change. > Some Tomcat directories (logs, work) need to be writeable by the > Tomcat user. Ack > Add the Manager app to the sharp edges. App deployment == RCE. Ack > App is biggest risk. Thanks. That's what this presentation is going to point out, and give some tips for things Tomcat can do to help the application like CORS/CSRF. These are not well-understood things in app-dev land, and they need to be. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxh8ioACgkQHPApP6U8 pFhcaBAAnneRcFRfpETvi3bOXfDOhsEySxAgm//74tgxnWbqWiGK+Md66U84Q1i5 jSJpnwt2/vI0sR9hdxeX3LD1CQtLkVe1cmQTML+KLAz0FTYFQsUlf7OmrMtPlJ7I c25T7bWOKfCS7NB+QP1moB6gv9WI9yIRregMSNP09eEJJu1MttM03DaM+mdOjpcM D366hrTyjQFtI2iCiNzj77y0TZDy7yBuYUHLOXAjZg+kbyhWX9sQSujEFxhPQkg+ Wi5D6kUoFbP2PIjkEhF8xL2VI3Fg1fSXQ/1EJFDJRYuflWLATuoIdzpTHLsF2Bbp bNPViUo17KLKseVgMYZThXD01su1xFUHJTHz4MF0RxZlEPLFPeb6NvOM8r7fta65 JagxwfHQtQPYBuQIX3hqUi/pFzwbo4mWHw/K8YhnEguZFNDvrb/rr/8Ov04iEb+u RaL591Zwkgfl1lEarovI1nkMtx9Ouf14Byz+HW/0F0796zV7Sx8t2BHvGW+bCH4o oEQLS5/hGIMrtJbYE9BWrqCAD9XvGhRc5ZsGB380tYb4l2mTbYdrOCOlnsed7J4w eqZq0TXYAHBAIh76nnMNcIjnBYmoY6+H3svKAK0/FRvj+nXz5GcxF5x8uxoD+fNS DR2tLuXWRpvC9Oc2/T3KKOQduY7Ub4cjVOYBBjzsCj2dS9uS+uE= =mr4J -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org