Rainer Jung wrote: > I'm not sure. They provide an easy entry point for people using Tomcat > because it is so simple to just use them. There are a couple of choices: > > - leave the examples in the download and take their security serious. > This is what we do now.
good choice... > - leave the examples in the download, but don't bother about their > security, as long as they don't compromise the container security (e.g. > don't bother about XSS issues for the example webapps). good choice, *if* you set up only a localhost endpoint and clearly document that the examples are only that, and open to XSS and other issues. Actually... > - move the examples into a separate directory, so that they are not > active by default. Add a note about how to activate them. Also a better > production setup, but we'll get a lot of questions, why the examples do > not work. I guess thats what I was thinking of above. > I think the real question is, should we still take security serious for > the example webapps. If no, then we should decide, which way we disable > them. I don't have a very strong opinion, because I don't feel fine by > delivering insecure example webapps, even if they are disabled. How > should people be made aware of security in webapps, if even our example > webapps are unsafe. The arguement is that some authors start with the examples. If they are riddled with XSS exploits, their derivative code will also be abusable. It's nice if *someone* provides good reference examples; consider the mess in PHP development-by-example that's left the web in a half-usable state. Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
