Hey Richard,

yes maybe we can add a script to help and users can run afterwards.
Probably a good compromise.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Sun, Mar 13, 2022 at 6:51 PM Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> wrote:

> Thanks for brining up this important topic!
>
> Perhaps it would be a good idea to include a security walkthrough on
> our web page (even if we only link to Tomcat) as well to cover this
> (very) important topic. This could also include secure systemd
> configuration, etc.
>
> In addition it might be an option to go the "mariadb" way (I am
> thinking of 'mysql_secure_installation' [1]) and provide a shell / bash
> (+ Windows) script, which we include in our distribution archives. If a
> user execute the script, the default configurations are hardended.
> However, we would need to "promote" it, so users get to know it.
>
> This would mitigate possible pain in our code base / tests / examples
> or for developers working with or on TomEE applications (or on TomEE
> itself).
>
> Wdyt?
>
> Gruß
> Richard
>
>
>
> [1] https://mariadb.com/kb/en/mysql_secure_installation/
>
>
> Am Sonntag, dem 13.03.2022 um 11:45 +0100 schrieb Jean-Louis Monteiro:
> > Thanks David for the quick reply. There is probably a balance to
> > find.
> >
> > I agree that the tradeoffs can hurt us more than the actual small
> > settings
> > to apply.
> > They are pretty well documented and clear in the following page
> > https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html
> >
> >
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Sun, Mar 13, 2022 at 9:58 AM David Blevins <dblev...@tomitribe.com
> > >
> > wrote:
> >
> > > > On Mar 12, 2022, at 11:34 PM, Jean-Louis Monteiro <
> > > jlmonte...@tomitribe.com> wrote:
> > > > xpoweredBy giving the exact version of Tomcat for instance
> > > > The error valve attributes are set to false so it does not
> > > > display
> > > Tomcat's
> > > > version and does not discard exceptions.
> > > >
> > > > Should we somehow pre-configure TomEE to be a bit more secure?
> > > > The downside is that in development, with Arquillian or TomEE
> > > > Maven
> > > plugin
> > > > we lose some useful information to debug and understand what's
> > > > going on.
> > >
> > > I think you raise a key point in that last sentence.  If we do
> > > things like
> > > have TomEE eat stacktraces and fail silently by default, that
> > > doesn't just
> > > make it harder for people to write applications on TomEE, that also
> > > makes
> > > it harder for us to develop TomEE.
> > >
> > > I think that would likely translate into fewer people making it out
> > > of the
> > > development phase, which means fewer users, fewer contributors and
> > > fewer
> > > resources.
> > >
> > > We'd also have to sweep through all our test cases and examples and
> > > ensure
> > > that things like stacktraces are enabled, which would make tests
> > > and
> > > examples more complicated.  It could also reinforce people using
> > > the dev
> > > settings in production if they're seeing them repeated in our 180+
> > > examples.  They'd still be in the position of having to read a doc
> > > to undo
> > > the settings before production.
> > >
> > > Not totally against, it just sounds very tricky.
> > >
> > > It's definitely a good conversation and there are likely specific
> > > things
> > > we can do that could be palatable but don't completely sacrifice
> > > the dev
> > > experience.
> > >
> > >
> > >
> > > -David
> > >
> > >
>

Reply via email to