You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/10/14 11:02:01 UTC

svn commit: r1022428 - in /tomcat/site/trunk: docs/migration.html xdocs/migration.xml

Author: markt
Date: Thu Oct 14 09:02:01 2010
New Revision: 1022428

URL: http://svn.apache.org/viewvc?rev=1022428&view=rev
Log:
Add some CSRF info to migration docs

Modified:
    tomcat/site/trunk/docs/migration.html
    tomcat/site/trunk/xdocs/migration.xml

Modified: tomcat/site/trunk/docs/migration.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/migration.html?rev=1022428&r1=1022427&r2=1022428&view=diff
==============================================================================
--- tomcat/site/trunk/docs/migration.html (original)
+++ tomcat/site/trunk/docs/migration.html Thu Oct 14 09:02:01 2010
@@ -599,6 +599,17 @@ compatibility problems.</p>
 <tt>manager-status</tt> - allows access to the status pages only</li>
     </ul>
 
+    <p>The HTML interface is protected against CSRF but the text and JMX
+    interfaces are not. To maintain the CSRF protection:</p>
+    
+    <ul>
+      <li>users with the <tt>manager-gui</tt> role should not be granted
+          either the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+      <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+          testing since these interfaces are intended for tools not humans) then
+          the browser must be closed afterwards to terminate the session.</li>
+    </ul>
+
   </blockquote>
 </td>
 </tr>
@@ -644,13 +655,24 @@ compatibility problems.</p>
     
     <ul>
       <li>
-<tt>admin</tt> - allows access to the HTML GUI and the status
+<tt>admin-gui</tt> - allows access to the HTML GUI and the status
           pages</li>
       <li>
 <tt>admin-script</tt> - allows access to the text interface and the
           status pages</li>
     </ul>
 
+    <p>The HTML interface is protected against CSRF but the text interface is
+    not. To maintain the CSRF protection:</p>
+    
+    <ul>
+      <li>users with the <tt>admin-gui</tt> role should not be granted the
+          <tt>admin-script</tt> role.</li>
+      <li>if the text interface is accessed through a browser (e.g. for testing
+          since this inteface is intended for tools not humans) then the browser
+          must be closed afterwards to terminate the session.</li>
+    </ul>
+
   </blockquote>
 </td>
 </tr>

Modified: tomcat/site/trunk/xdocs/migration.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/migration.xml?rev=1022428&r1=1022427&r2=1022428&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/migration.xml (original)
+++ tomcat/site/trunk/xdocs/migration.xml Thu Oct 14 09:02:01 2010
@@ -141,6 +141,17 @@ compatibility problems.</p>
       <li><tt>manager-status</tt> - allows access to the status pages only</li>
     </ul>
 
+    <p>The HTML interface is protected against CSRF but the text and JMX
+    interfaces are not. To maintain the CSRF protection:</p>
+    
+    <ul>
+      <li>users with the <tt>manager-gui</tt> role should not be granted
+          either the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+      <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+          testing since these interfaces are intended for tools not humans) then
+          the browser must be closed afterwards to terminate the session.</li>
+    </ul>
+
   </subsection>
 
   <subsection name="Host Manager application">
@@ -162,12 +173,23 @@ compatibility problems.</p>
     assign the role(s) required for the functionality you wish to access.</p>
     
     <ul>
-      <li><tt>admin</tt> - allows access to the HTML GUI and the status
+      <li><tt>admin-gui</tt> - allows access to the HTML GUI and the status
           pages</li>
       <li><tt>admin-script</tt> - allows access to the text interface and the
           status pages</li>
     </ul>
 
+    <p>The HTML interface is protected against CSRF but the text interface is
+    not. To maintain the CSRF protection:</p>
+    
+    <ul>
+      <li>users with the <tt>admin-gui</tt> role should not be granted the
+          <tt>admin-script</tt> role.</li>
+      <li>if the text interface is accessed through a browser (e.g. for testing
+          since this inteface is intended for tools not humans) then the browser
+          must be closed afterwards to terminate the session.</li>
+    </ul>
+
   </subsection>
 
   <subsection name="Session cookie configuration">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org