You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/10/14 11:22:55 UTC
svn commit: r1022441 - in /tomcat/trunk/webapps: docs/manager-howto.xml
host-manager/401.jsp host-manager/403.jsp manager/401.jsp manager/403.jsp
Author: markt
Date: Thu Oct 14 09:22:54 2010
New Revision: 1022441
URL: http://svn.apache.org/viewvc?rev=1022441&view=rev
Log:
Add some more info on CSRF protection for the manager and host manager applications
Modified:
tomcat/trunk/webapps/docs/manager-howto.xml
tomcat/trunk/webapps/host-manager/401.jsp
tomcat/trunk/webapps/host-manager/403.jsp
tomcat/trunk/webapps/manager/401.jsp
tomcat/trunk/webapps/manager/403.jsp
Modified: tomcat/trunk/webapps/docs/manager-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/manager-howto.xml?rev=1022441&r1=1022440&r2=1022441&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/manager-howto.xml (original)
+++ tomcat/trunk/webapps/docs/manager-howto.xml Thu Oct 14 09:22:54 2010
@@ -169,6 +169,18 @@ an example of restricting access to the
allow="127\.0\.0\.1"/>
</Context>
</pre>
+
+<p>The HTML interface is protected against CSRF but the text and JMX interfaces
+are not. To maintain the CSRF protection:</p>
+
+<ul>
+ <li>users with the <tt>manager-gui</tt> role should not be granted either the
+ <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+ <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+ testing since these interfaces are intended for tools not humans) then the
+ browser must be closed afterwards to terminate the session.</li>
+</ul>
+
</section>
Modified: tomcat/trunk/webapps/host-manager/401.jsp
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/host-manager/401.jsp?rev=1022441&r1=1022440&r2=1022441&view=diff
==============================================================================
--- tomcat/trunk/webapps/host-manager/401.jsp (original)
+++ tomcat/trunk/webapps/host-manager/401.jsp Thu Oct 14 09:22:54 2010
@@ -54,9 +54,20 @@
the functionality you wish to access.
</p>
<ul>
- <li><tt>admin</tt> - allows access to the HTML GUI</li>
+ <li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
<li><tt>admin-script</tt> - allows access to the text interface</li>
</ul>
+ <p>
+ The HTML interface is protected against CSRF but the text interface is not.
+ To maintain the CSRF protection:
+ </p>
+ <ul>
+ <li>users with the <tt>admin-gui</tt> role should not be granted the
+ <tt>manager-script</tt> role.</li>
+ <li>if the text interface is accessed through a browser (e.g. for testing
+ since this interfaces is intended for tools not humans) then the browser
+ must be closed afterwards to terminate the session.</li>
+ </ul>
</body>
</html>
Modified: tomcat/trunk/webapps/host-manager/403.jsp
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/host-manager/403.jsp?rev=1022441&r1=1022440&r2=1022441&view=diff
==============================================================================
--- tomcat/trunk/webapps/host-manager/403.jsp (original)
+++ tomcat/trunk/webapps/host-manager/403.jsp Thu Oct 14 09:22:54 2010
@@ -71,6 +71,17 @@
<li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
<li><tt>admin-script</tt> - allows access to the text interface</li>
</ul>
+ <p>
+ The HTML interface is protected against CSRF but the text interface is not.
+ To maintain the CSRF protection:
+ </p>
+ <ul>
+ <li>users with the <tt>admin-gui</tt> role should not be granted the
+ <tt>manager-script</tt> role.</li>
+ <li>if the text interface is accessed through a browser (e.g. for testing
+ since this interfaces is intended for tools not humans) then the browser
+ must be closed afterwards to terminate the session.</li>
+ </ul>
</body>
</html>
Modified: tomcat/trunk/webapps/manager/401.jsp
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/manager/401.jsp?rev=1022441&r1=1022440&r2=1022441&view=diff
==============================================================================
--- tomcat/trunk/webapps/manager/401.jsp (original)
+++ tomcat/trunk/webapps/manager/401.jsp Thu Oct 14 09:22:54 2010
@@ -63,6 +63,17 @@
<li><tt>manager-status</tt> - allows access to the status pages only</li>
</ul>
<p>
+ The HTML interface is protected against CSRF but the text and JMX interfaces
+ are not. To maintain the CSRF protection:
+ </p>
+ <ul>
+ <li>users with the <tt>manager-gui</tt> role should not be granted either
+ the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+ <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+ testing since these interfaces are intended for tools not humans) then
+ the browser must be closed afterwards to terminate the session.</li>
+ </ul>
+ <p>
For more information - please see the
<a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
</p>
Modified: tomcat/trunk/webapps/manager/403.jsp
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/manager/403.jsp?rev=1022441&r1=1022440&r2=1022441&view=diff
==============================================================================
--- tomcat/trunk/webapps/manager/403.jsp (original)
+++ tomcat/trunk/webapps/manager/403.jsp Thu Oct 14 09:22:54 2010
@@ -78,6 +78,17 @@
<li><tt>manager-status</tt> - allows access to the status pages only</li>
</ul>
<p>
+ The HTML interface is protected against CSRF but the text and JMX interfaces
+ are not. To maintain the CSRF protection:
+ </p>
+ <ul>
+ <li>users with the <tt>manager-gui</tt> role should not be granted either
+ the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+ <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+ testing since these interfaces are intended for tools not humans) then
+ the browser must be closed afterwards to terminate the session.</li>
+ </ul>
+ <p>
For more information - please see the
<a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org