Michael Ji wrote:
No particular vunerable higher than the case you
running a web server, if I am not wrong;
tomcat is same as a webserver except JSP is its' core
engine;
I would suggest following any instructions that Tomcat has
for locking it down. For instance, there is a conf setting
(the default servlet setup in conf/web.xml) to disallow
reading directories when a welcome page (index.html,
index.jsp, etc) is not present. v5.5 comes with the manager
webapp disabled and the admin webapp uninstalled. (I'm not
sure whether this practice started with v5.0)
The invoker servlet should be disabled (conf/web.xml) too.
I have not seen any discussion about the dumbo passwords in the
tomcat-users.xml in the default install for user tomcat and
role1. Just in case, my practice is to change those default
passwds. (These might be for examples.)
Paul
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server.
Download it for free - -and be entered to win a 42" plasma tv or your very
own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Nutch-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nutch-developers
