https://bz.apache.org/bugzilla/show_bug.cgi?id=65820
joao.paulo.mart...@gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #6 from joao.paulo.mart...@gmail.com ---
Thank for the challenge, I might consider it.
Some adicional considerations, if I am not mistaken, tomcat HTTPS is not
configured/forced by default, out of the box only HTTP is working. So most
instances of tomcat are most likely only using plain HTTP access (most I've
seen at least). But that is less relevant (if not mistaken) tomcat manager is
limiting acesse to loopback IP range (127.*.*.*) so connection not really
supposed to reach the network. If it is changed to be used over the network,
even with HTTP/SSL the password is sent repeatedly, for each request that would
create a larger attack window. At the time of writing, http basic
authentication is generally not considered a secure authentication method, and
it gives the feel of a dated technology. I believe we should understand it and
use the best match for the specific security requirements, I think having by
default the authentication mechanism disabled in tomcat manager would not be
simpler and more cost effective. Would that be acceptable?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
