On 03/03/2021 09:15, Konstantin Kolinko wrote:
ср, 3 мар. 2021 г. в 00:59, <[email protected]>:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 63300af Add a note on securing the JDBC store
63300af is described below
commit 63300af16bcf90414f51323b82bbcbbc0ebe3a87
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Mar 2 21:58:23 2021 +0000
Add a note on securing the JDBC store
---
webapps/docs/security-howto.xml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 34c62da..b986dc7 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -464,6 +464,12 @@
<p>The <strong>persistAuthentication</strong> controls whether the
authenticated Principal associated with the session (if any) is included
when the session is persisted during a restart or to a Store.</p>
+
+ <p>When using the <strong>JDBCStore</strong>, the session store should be
+ secured (dedciated credentials, appropriate permissions) such that only
+ the <strong>JDBCStore</strong> is able to access the persisted session
+ data. In particular, the <strong>JDBCStore</strong> should be accessible
+ via any credentials available to a web application.</p>
I think that you meant to use "should not" in the last sentence.
Whoops :)
Also s/dedciated /dedicated/
Thanks. I'll get those fixed.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
