security-howto.xml

markt Mon, 25 Nov 2013 02:31:08 -0800

Author: markt
Date: Mon Nov 25 10:30:24 2013
New Revision: 1545214

URL: http://svn.apache.org/r1545214
Log:
When running under a security manager disabled deployXML by default.


Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardHost.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml
    tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1545213

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardHost.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardHost.java?rev=1545214&r1=1545213&r2=1545214&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardHost.java 
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardHost.java Mon 
Nov 25 10:30:24 2013
@@ -27,6 +27,7 @@ import java.util.regex.Pattern;
 
 import org.apache.catalina.Container;
 import org.apache.catalina.Context;
+import org.apache.catalina.Globals;
 import org.apache.catalina.Host;
 import org.apache.catalina.Lifecycle;
 import org.apache.catalina.LifecycleEvent;
@@ -120,7 +121,7 @@ public class StandardHost extends Contai
     /**
      * deploy Context XML config files property.
      */
-    private boolean deployXML = true;
+    private boolean deployXML = !Globals.IS_SECURITY_ENABLED;
 
 
     /**

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1545214&r1=1545213&r2=1545214&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Nov 25 10:30:24 2013
@@ -160,6 +160,11 @@
         control if Jasper (the JSP engine) uses a validating parser when
         processing *.jspx and *.tagx files. (markt)
       </add>
+      <add>
+        When running under a security manager, change the default value of the
+        Host&apos;s <code>deloyXML</code> attribute to <code>false</code>.
+        (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">

Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml?rev=1545214&r1=1545213&r2=1545214&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml Mon Nov 25 10:30:24 2013
@@ -244,7 +244,8 @@
         then be responsible for providing an external context configuration
         file, and putting it in the location defined by the
         <strong>xmlBase</strong> attribute. The flag's value defaults to
-        <code>true</code>.</p>
+        <code>true</code> unless a security manager is enabled when the default
+        is <code>false</code>.</p>
       </attribute>
 
       <attribute name="errorReportValveClass" required="false">

Modified: tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml?rev=1545214&r1=1545213&r2=1545214&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml Mon Nov 25 10:30:24 
2013
@@ -173,6 +173,13 @@
     manager should be introduced at the start of the development cycle as it 
can
     be time-consuming to track down and fix issues caused by enabling a 
security
     manager for a mature application.</p>
+    
+    <p>Enabling the security manager changes the defaults for the following
+    settings:</p>
+    <ul>
+      <li>The default value for the <strong>deployXML</strong> attribute of the
+      <strong>Host</strong> element is changed to <code>false</code>.</li>
+    </ul>
   </section>
 
   <section name="server.xml">
@@ -293,9 +300,11 @@
       </p>
 
       <p>In a hosted environment where web applications may not be trusted, set
-      the <strong>deployXML</strong> attribute to <code>false</code> to ignore 
any
-      context.xml packaged with the web application that may try to assign
-      increased privileges to the web application. </p>
+      the <strong>deployXML</strong> attribute to <code>false</code> to ignore
+      any context.xml packaged with the web application that may try to assign
+      increased privileges to the web application. Note that if the security
+      manager is enabled that the <strong>deployXML</strong> attribute will
+      default to <code>false</code>.</p>
     </subsection>
 
     <subsection name="Context">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1545214 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/core/StandardHost.java webapps/docs/changelog.xml webapps/docs/config/host.xml webapps/docs/security-howto.xml

Reply via email to