While trying to configure Tomcat and Apache for Virtual Hosting customers, I found Glen Nielson's post from the tomcat-users list archives and wanted to say thanks a ton - it has been invaluable!
I have noticed however that a customer who has the manager app deployed can install a web app that is not in his own appBase directory if he knows where the sources (war or directory) are. For example, a customer can log into the manager webapp and submit a url such as http://customerdomain.com/manager/install?path=/webdav&war=file:/path/to/web dav and it works, even though he shouldn't have access to the webdav directory (and doesn't) from a regular telnet session. I don't care about webdav per se but certainly don't want customerA to be able to install and run CustomerB's webapp without permission. I'd be happy to send more specific config info if necessary. Any help would be greatly appreciated - I must admit that I'm stumped on this one. -- Dan
