Securing Tomcat Manager auth-method
In light of the recent announcement, is securing Tomcat Manager with org.apache.catalina.valves.RemoteAddrValve enough if we are using 127.0.0.1 or should I consider changing the manager auth-method from BASIC to FORM and enable HTTPS as well? Is running Tomcat as a Windows service considered insecure? leo
Re: Securing Tomcat Manager auth-method
Leo Donahue - PLANDEVX wrote: In light of the recent announcement, is securing Tomcat Manager with org.apache.catalina.valves.RemoteAddrValve enough if we are using 127.0.0.1 or should I consider changing the manager auth-method from BASIC to FORM and enable HTTPS as well? Is running Tomcat as a Windows service considered insecure? I must say that I fail to see the link with the recent announcement, which concerned only DIGEST authentication. If you already allow access to the Tomcat Manager only from localhost, and presuming that only authorised people can access this host, and if in addition even ditto users from localhost have to login (with some non-trivial userid and password), then that seems rather secure to me. Of course if anyone can login to the Tomcat host, then you probably have other issues than logging in to the Manager. Similarly, running Tomcat as a Windows Service should be, if anything, more secure than running it in a command window, since presumably only some selected users are allowed to start/stop Windows services. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Securing Tomcat Manager auth-method
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 9/26/2011 11:30 AM, André Warnier wrote: Leo Donahue - PLANDEVX wrote: In light of the recent announcement, is securing Tomcat Manager with org.apache.catalina.valves.RemoteAddrValve enough if we are using 127.0.0.1 or should I consider changing the manager auth-method from BASIC to FORM and enable HTTPS as well? Is running Tomcat as a Windows service considered insecure? I must say that I fail to see the link with the recent announcement, which concerned only DIGEST authentication. +1 Similarly, running Tomcat as a Windows Service should be, if anything, more secure than running it in a command window, since presumably only some selected users are allowed to start/stop Windows services. +1 Also, running as a service typically runs with even fewer privileges than a console user (no network-mapped volumes, etc.). One could argue that running anything on Windows makes it less secure, but that would be a cheap shot :) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6A2ZQACgkQ9CaO5/Lv0PDKXwCeO/IMZEsa7RyEwGS5F2KtTp6h KAIAoMBmuFXiJZLwZbCZx63kRuTnICds =fzai -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org