Ignoring web application code, what you say below is true.
However the introduction of a new webapp introduces new potential risks
that must be evaluated and reviewed. The servlet code itself can
potentially read any resource available to tomcat within the system.
I would recommend a combina
Hello
If I have changed the default admin & manager
passwords and have a personal firewall preventing
anything other than http & http:8080 access, is it
still possible for people to view the tomcat-users.xml
file? With only those two protocols open (plus udp 53
for dns)it should be impossible.
