Am 2019-10-07 um 16:54 schrieb Christopher Schultz:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I recently gave a presentation on locking-down Apache Tomcat[1] and I
briefly discussed the "sharp edges" present in Tomcat. Some of them
are unnecessarily sharp and may be actually unnecessary. I'm going to
make a few proposals to remove functions from Tomcat.
Proposal: Remove WebDAV
Justification:
WebDAV is a protocol that never really took off[2].
From where do you take this? We, at work, use it all the time. Either
from Sharepoint, or a new project with mod_dav.
Another great example is mod_dav_svn. You can access you repo with any
DAV client (except crappy Windows Explorer).
Read-only WebDAV
can practically be replaced by standard HTTP GET
No, it can't. you can't list collections with multistatus w/o WebDAV.
and read-write WebDAV
has a host of security problems. There are better solutions to
supporting WebDAV than using the Tomcat module.
Which are? Milton.io?
The only drawback I see with the current servlet is that I cannot have
arbitrary paths of my context served by this servlet. It serves either
the entire app or nothing. That's why I have resorted to mod_dav.
A recent search of the users mailing list shows only 10 threads
regarding WebDAV in the past 6 years.
Maybe people are just happy with the servlet?
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
