I'm not sure. They provide an easy entry point for people using Tomcat
because it is so simple to just use them. There are a couple of choices:
- leave the examples in the download and take their security serious.
This is what we do now.
- leave the examples in the download, but don't bother about their
security, as long as they don't compromise the container security (e.g.
don't bother about XSS issues for the example webapps).
- move the examples into a separate download, and add some notes about
that to the docs. This will also be a better production setup, but
people might miss the separate download.
- move the examples into a separate directory, so that they are not
active by default. Add a note about how to activate them. Also a better
production setup, but we'll get a lot of questions, why the examples do
not work.
I think the real question is, should we still take security serious for
the example webapps. If no, then we should decide, which way we disable
them. I don't have a very strong opinion, because I don't feel fine by
delivering insecure example webapps, even if they are disabled. How
should people be made aware of security in webapps, if even our example
webapps are unsafe.
On the other hand: do we think the status of the example webapps
concerning security is OK now, or do we think they would need a thorough
review?
Regards,
Rainer
jean-frederic clere wrote:
Hi,
The examples (servlet and JSP) have caused a list of security issues.
I think we should remove them from the Tomcat binary packages (6.0 and
5.x at least).
Any comments?
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
