On 25/11/2013 11:29, Konstantin Kolinko wrote: > 2013/11/25 <ma...@apache.org>: >> Author: markt >> Date: Mon Nov 25 10:26:26 2013 >> New Revision: 1545213 >> >> URL: http://svn.apache.org/r1545213 >> Log: >> When running under a security manager disabled deployXML by default. >> > > +1. > > Note, that > The manager application in its default configuration will stop working > > There was a thread in October, > "can't connect to manager application" > http://markmail.org/thread/ob3kjbnvu2usljmz > > I thought to add this effect to the description of "deployXML" > attribute, but have not got there yet. > > Similarly, if someone has important bits in their META-INF/context.xml > such as RemoteAddrValve and AccessLogValve, those will be ignored with > this change. If those were not critical to one's web application and > it starts successfully, it will lower their security,
Ah. That isn't good. I think it will be safer to introduce this change only in 8.0.x. It can be documented in the migration guide. That sort of change in a point release is going to catch people out. Mark > > In TC7 changelog: >> Host's <code>deloyXML</code> attribute to <code>false</code>. > > s/deloy/deploy/ > > Best regards, > Konstantin Kolinko > >> Modified: >> tomcat/trunk/java/org/apache/catalina/core/StandardHost.java >> tomcat/trunk/webapps/docs/config/host.xml >> tomcat/trunk/webapps/docs/security-howto.xml >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
