trunk: docs xdocs

markt Fri, 29 May 2026 03:09:38 -0700

Author: markt
Date: Fri May 29 10:09:25 2026
New Revision: 1934745

Log:
Add known non-finding related to session persistence modification


Modified:
   tomcat/site/trunk/docs/security-model.html
   tomcat/site/trunk/xdocs/security-model.xml

Modified: tomcat/site/trunk/docs/security-model.html
==============================================================================
--- tomcat/site/trunk/docs/security-model.html  Fri May 29 09:10:45 2026        
(r1934744)
+++ tomcat/site/trunk/docs/security-model.html  Fri May 29 10:09:25 2026        
(r1934745)
@@ -21,6 +21,7 @@
         <li>The temp directory (by default 
<code>$CATALINA_BASE/temp</code>)</li>
         <li>Web application working directories (by default
             <code>$CATALINA_BASE/work</code>)</li>
+        <li>The persisted session store.</li>
         <li>The Manager or Host Manager web applications provided with 
Tomcat.</li>
         <li>The JMX API (local or remote).</li>
         <li>The Java Attach API or any other debugging interface.</li>
@@ -111,6 +112,10 @@
       <li>Any report that depends on deserialisation within the clustering code
           when the EcryptInterceptor has not been configured.</li>
 
+      <li>Any report that depends on modification of persisted session data
+          where the mechanism to modify the persisted session data is not
+          accessible to a non-administrative user.</li>
+
       <li>Any report that depends on write access to an application's 
           <code>docBase</code>.</li>
 

Modified: tomcat/site/trunk/xdocs/security-model.xml
==============================================================================
--- tomcat/site/trunk/xdocs/security-model.xml  Fri May 29 09:10:45 2026        
(r1934744)
+++ tomcat/site/trunk/xdocs/security-model.xml  Fri May 29 10:09:25 2026        
(r1934745)
@@ -29,6 +29,7 @@
         <li>The temp directory (by default 
<code>$CATALINA_BASE/temp</code>)</li>
         <li>Web application working directories (by default
             <code>$CATALINA_BASE/work</code>)</li>
+        <li>The persisted session store.</li>
         <li>The Manager or Host Manager web applications provided with 
Tomcat.</li>
         <li>The JMX API (local or remote).</li>
         <li>The Java Attach API or any other debugging interface.</li>
@@ -121,6 +122,10 @@
       <li>Any report that depends on deserialisation within the clustering code
           when the EcryptInterceptor has not been configured.</li>
 
+      <li>Any report that depends on modification of persisted session data
+          where the mechanism to modify the persisted session data is not
+          accessible to a non-administrative user.</li>
+
       <li>Any report that depends on write access to an application's 
           <code>docBase</code>.</li>
 


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r1934745 - in tomcat/site/trunk: docs xdocs

Reply via email to