https://issues.apache.org/bugzilla/show_bug.cgi?id=57251
--- Comment #15 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to Francisco A. Lozano from comment #12) > One question about your reasoning - what's the point of having > unpackWARS="false" option if it's so unusably slow in T8? One valid use case: read-only filesystem (from Tomcat's perspective). unpackWars="false" allows you to run with the host's appBase directory non-writable by Tomcat. Having the webapps directory writable by Tomcat is a security concern, especially if Tomcat were exploited in some way... the attacker could deploy an application by dropping a WAR file into that directory. Obviously, there are other ways to attack Tomcat, but this is a legitimate layer of protection. The old behavior of unpackWars="false" expanding WAR files into the work/ directory was acceptable from a security perspective, since nothing in the work/ directory could be auto-deployed. Again, there are other security concerns here with the work directory outside the scope of the original question. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
