пн, 7 окт. 2019 г. в 17:54, Christopher Schultz <ch...@christopherschultz.net>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > All, > > I recently gave a presentation on locking-down Apache Tomcat[1] and I > briefly discussed the "sharp edges" present in Tomcat. Some of them > are unnecessarily sharp and may be actually unnecessary. I'm going to > make a few proposals to remove functions from Tomcat. > > Proposal: Remove WebDAV > > Justification: > > WebDAV is a protocol that never really took off[2]. Read-only WebDAV > can practically be replaced by standard HTTP GET and read-write WebDAV > has a host of security problems.
My preference is to keep the WebDAV Servlet: 1) It is a good example of HTTP protocol beyond standard HTTP. 2) There exist 3-rd party test suites for this protocol. 3) It is tightly coupled with DefaultServlet and Tomcat internals (resources management layer) 4) There are no security issues with read-write WebDAV as far as I know. Enabling write (HTTP PUT) on the DefaultServlet will have the same consequences. You have to authenticate your clients. I am using WebDAV on some Apache HTTPD server with mod_dav. I planned to use WebDAV on some Tomcat servers but I ended with a configuration where DefaultServlet displays the files and upload and management of the files is performed via SSH/SCP. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
