2010/5/7 Mark Thomas <ma...@apache.org>: > I'm trying to decide the best way to back-port the configuration of this to > the (Host) Manager app in Tomcat 5 & 6. > > The requirements are: > - not to break anything that currently works > - enable CSRF for the HTML interface > - the same user cannot have access to the HTML and text interfaces for the > filter to be effective. > > I can't see a way to meet all of these. > > The options I am considering are: > A: change the role required to access the text interface to manager-text > - consistent with Tomcat 7 > - will break tools currently using the manager role > > B: comment out the mapping for the test interface > - will break tools currently using the text interface > > C: change the role required to access the HTML interface > - not consistent with Tomcat 7 > - will break user access to the Manager GUI > > D: Don't enable the filter by default but provide instructions on what to do > if you do want to enable it in the docs. Something along the lines of: > - uncomment the Filter and filter mapping > - change the role used for the text and jmx interfaces (to match the new > names in Tomcat 7) > > I am currently leaning towards D along with some changes to the web.xml > files that won't change current behaviour but will make it simpler to add > the CSRF filter. > > Thoughts? >
It is possible to combine A+C: E. Use a different name for the new role that allows access to GUI interface only, "manager-gui", as well as new "manager-script", "manager-jmx", "manager-status". We can even rename "manager" -> "manager-gui" in Tomcat 7. The "manager" role is preserved as is, but is documented as "deprecated" and is no longer recommended for use. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
