Author: markt
Date: Thu Oct 14 09:02:01 2010
New Revision: 1022428
URL: http://svn.apache.org/viewvc?rev=1022428&view=rev
Log:
Add some CSRF info to migration docs
Modified:
tomcat/site/trunk/docs/migration.html
tomcat/site/trunk/xdocs/migration.xml
Modified: tomcat/site/trunk/docs/migration.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/migration.html?rev=1022428&r1=1022427&r2=1022428&view=diff
==============================================================================
--- tomcat/site/trunk/docs/migration.html (original)
+++ tomcat/site/trunk/docs/migration.html Thu Oct 14 09:02:01 2010
@@ -599,6 +599,17 @@ compatibility problems.</p>
<tt>manager-status</tt> - allows access to the status pages only</li>
</ul>
+ <p>The HTML interface is protected against CSRF but the text and JMX
+ interfaces are not. To maintain the CSRF protection:</p>
+
+ <ul>
+ <li>users with the <tt>manager-gui</tt> role should not be granted
+ either the <tt>manager-script</tt> or <tt>manager-jmx</tt>
roles.</li>
+ <li>if the text or jmx interfaces are accessed through a browser (e.g.
for
+ testing since these interfaces are intended for tools not humans)
then
+ the browser must be closed afterwards to terminate the session.</li>
+ </ul>
+
</blockquote>
</td>
</tr>
@@ -644,13 +655,24 @@ compatibility problems.</p>
<ul>
<li>
-<tt>admin</tt> - allows access to the HTML GUI and the status
+<tt>admin-gui</tt> - allows access to the HTML GUI and the status
pages</li>
<li>
<tt>admin-script</tt> - allows access to the text interface and the
status pages</li>
</ul>
+ <p>The HTML interface is protected against CSRF but the text interface is
+ not. To maintain the CSRF protection:</p>
+
+ <ul>
+ <li>users with the <tt>admin-gui</tt> role should not be granted the
+ <tt>admin-script</tt> role.</li>
+ <li>if the text interface is accessed through a browser (e.g. for testing
+ since this inteface is intended for tools not humans) then the
browser
+ must be closed afterwards to terminate the session.</li>
+ </ul>
+
</blockquote>
</td>
</tr>
Modified: tomcat/site/trunk/xdocs/migration.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/migration.xml?rev=1022428&r1=1022427&r2=1022428&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/migration.xml (original)
+++ tomcat/site/trunk/xdocs/migration.xml Thu Oct 14 09:02:01 2010
@@ -141,6 +141,17 @@ compatibility problems.</p>
<li><tt>manager-status</tt> - allows access to the status pages only</li>
</ul>
+ <p>The HTML interface is protected against CSRF but the text and JMX
+ interfaces are not. To maintain the CSRF protection:</p>
+
+ <ul>
+ <li>users with the <tt>manager-gui</tt> role should not be granted
+ either the <tt>manager-script</tt> or <tt>manager-jmx</tt>
roles.</li>
+ <li>if the text or jmx interfaces are accessed through a browser (e.g.
for
+ testing since these interfaces are intended for tools not humans)
then
+ the browser must be closed afterwards to terminate the session.</li>
+ </ul>
+
</subsection>
<subsection name="Host Manager application">
@@ -162,12 +173,23 @@ compatibility problems.</p>
assign the role(s) required for the functionality you wish to access.</p>
<ul>
- <li><tt>admin</tt> - allows access to the HTML GUI and the status
+ <li><tt>admin-gui</tt> - allows access to the HTML GUI and the status
pages</li>
<li><tt>admin-script</tt> - allows access to the text interface and the
status pages</li>
</ul>
+ <p>The HTML interface is protected against CSRF but the text interface is
+ not. To maintain the CSRF protection:</p>
+
+ <ul>
+ <li>users with the <tt>admin-gui</tt> role should not be granted the
+ <tt>admin-script</tt> role.</li>
+ <li>if the text interface is accessed through a browser (e.g. for testing
+ since this inteface is intended for tools not humans) then the
browser
+ must be closed afterwards to terminate the session.</li>
+ </ul>
+
</subsection>
<subsection name="Session cookie configuration">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
