Chris,
On 12/28/2018 7:07 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
Someone asked this question on SO recently:
https://stackoverflow.com/questions/53921375/tomcat-overriding-catalina-
properties-from-commandline/53952396#53952396
TLDR: this person wants to set system properties in
catalina.properties but be able to "override" those from the command-lin
e.
The fix would be trivial: just don't clobber the value of any existing
system property in CatalinaProperties when copying the properties from
the file to the live system properties.
I'm wondering if anyone can think of any security issues with doing
that. Presumably, if a user can launch Tomcat, they can set system
properties. However, it's possible that a user might have the right to
*launch* Tomcat, but not reconfigure it (e.g. read-only
catalina.properties).
That could easily be solved by using a catalina.properties-only
setting like "catalina.properties.noclobber.system.properties=true" or
something like that.
How about adding an optional file named "catalina.properties.default",
which will be read before "catalina.properties", and whose values will
be set only if no corresponding keys are set in System properties? e.g.
# file catalina.properties.default
tomcat.port=8080
Can be overridden with `-Dtomcat.properties=8888`, but
# file catalina.properties
tomcat.host=localhost
Can not be overridden, as it is now.
Users will know that if they place a value in the default file, it could
be overridden with a System property.
This should be fairly simple and I can implement it if it sounds like a
good idea.
Igal
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
