You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2014/11/27 02:14:11 UTC
svn commit: r1641981 - /tomcat/trunk/webapps/docs/manager-howto.xml
Author: kkolinko
Date: Thu Nov 27 01:14:10 2014
New Revision: 1641981
URL: http://svn.apache.org/r1641981
Log:
Improving manager documentation. Better wording.
Modified:
tomcat/trunk/webapps/docs/manager-howto.xml
Modified: tomcat/trunk/webapps/docs/manager-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/manager-howto.xml?rev=1641981&r1=1641980&r2=1641981&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/manager-howto.xml (original)
+++ tomcat/trunk/webapps/docs/manager-howto.xml Thu Nov 27 01:14:10 2014
@@ -136,16 +136,16 @@ web application. The available roles are
attacks, but the text and JMX interfaces cannot be protected. It means that
users who are allowed access to the text and JMX interfaces have to be cautious
when accessing the Manager application with a web browser.
-To maintain
-the CSRF protection:</p>
+To maintain the CSRF protection:</p>
<ul>
<li>If you use web browser to access the Manager application using
a user that has either <strong>manager-script</strong> or
<strong>manager-jmx</strong> roles (for example for testing
- the plain text or JMX interfaces), do not visit other sites
- where you may fall victim to a CSRF attack, and you MUST close all windows
- of the browser afterwards to terminate the session.</li>
+ the plain text or JMX interfaces), you MUST close all windows
+ of the browser afterwards to terminate the session.
+ If you do not close the browser and visit other sites, you may become
+ victim of a CSRF attack.</li>
<li>It is recommended to never grant
the <strong>manager-script</strong> or <strong>manager-jmx</strong>
roles to users that have the <strong>manager-gui</strong> role.</li>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org