You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2014/11/25 21:48:55 UTC
svn commit: r1641692 - /tomcat/trunk/webapps/docs/manager-howto.xml
Author: kkolinko
Date: Tue Nov 25 20:48:54 2014
New Revision: 1641692
URL: http://svn.apache.org/r1641692
Log:
Expand explanation on CSRF feature.
Modified:
tomcat/trunk/webapps/docs/manager-howto.xml
Modified: tomcat/trunk/webapps/docs/manager-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/manager-howto.xml?rev=1641692&r1=1641691&r2=1641692&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/manager-howto.xml (original)
+++ tomcat/trunk/webapps/docs/manager-howto.xml Tue Nov 25 20:48:54 2014
@@ -133,19 +133,22 @@ web application. The available roles are
</ul>
<p>The HTML interface is protected against CSRF (Cross-Site Request Forgery)
-attacks, but the text and JMX interfaces cannot be protected. To maintain
+attacks, but the text and JMX interfaces cannot be protected. It means that
+users who are allowed access to the text and JMX interfaces have to be cautious
+when accessing the Manager application with a web browser.
+To maintain
the CSRF protection:</p>
<ul>
- <li>Users with the <strong>manager-gui</strong> role should not be granted
- the <strong>manager-script</strong> or <strong>manager-jmx</strong>
- roles.</li>
<li>If you use web browser to access the Manager application using
a user that has either <strong>manager-script</strong> or
<strong>manager-jmx</strong> roles (for example for testing
- the plain text or JMX interfaces),
- then all windows of the browser MUST be closed afterwards to terminate
- the session.</li>
+ the plain text or JMX interfaces), do not visit other sites
+ where you may fall victim to a CSRF attack, and you MUST close all windows
+ of the browser afterwards to terminate the session.</li>
+ <li>It is recommended to never grant
+ the <strong>manager-script</strong> or <strong>manager-jmx</strong>
+ roles to users that have the <strong>manager-gui</strong> role.</li>
</ul>
<p><strong>Note</strong> that JMX proxy interface is effectively low-level root-like
@@ -225,6 +228,13 @@ help on this interface. See:</p>
<li><a href="html-manager-howto.html">HTML Manager documentation</a></li>
</ul>
+<p>The HTML interface is protected against CSRF (Cross-Site Request Forgery)
+attacks. Each access to the HTML pages generates a random token, which is
+stored in your session and is included in all links on the page. If your next
+action does not have correct value of the token, the action will be denied.
+If the token has expired you can start again from the main page or
+<em>List Applications</em> page of Manager.</p>
+
</section>
<section name="Supported Manager Commands">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org