I'm trying to decide the best way to back-port the configuration of this
to the (Host) Manager app in Tomcat 5 & 6.
The requirements are:
- not to break anything that currently works
- enable CSRF for the HTML interface
- the same user cannot have access to the HTML and text interfaces for
the filter to be effective.
I can't see a way to meet all of these.
The options I am considering are:
A: change the role required to access the text interface to manager-text
- consistent with Tomcat 7
- will break tools currently using the manager role
B: comment out the mapping for the test interface
- will break tools currently using the text interface
C: change the role required to access the HTML interface
- not consistent with Tomcat 7
- will break user access to the Manager GUI
D: Don't enable the filter by default but provide instructions on what
to do if you do want to enable it in the docs. Something along the lines of:
- uncomment the Filter and filter mapping
- change the role used for the text and jmx interfaces (to match the new
names in Tomcat 7)
I am currently leaning towards D along with some changes to the web.xml
files that won't change current behaviour but will make it simpler to
add the CSRF filter.
Thoughts?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
