When using tomcat clusters on an untrusted subnet or using a routable multicast address, i see the potential for a rogue tomcat instance to join a cluster in order to hijack session information. This doesn't seem to be cured by any firewalling of incoming connections to the valid servers, as, from what i have read, the valid servers will do a unicast conect to the rogue sever on the address/port specified by the rogue server's multicast transmission and will transfer session data to it.
If this is incorrect, I'd be grateful for an explanation. If this is correct, Is there any way to restrict autodiscovery of cluster membership to a known list of IPs or disable auto discovery alltogether? Thanks, Ryan --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
