Clusters - Disabling or restricting autodiscovery

[ryan boyd <ry...@gmail.com>]

When using tomcat clusters on an untrusted subnet or using a routable
multicast address, i see the potential for a rogue tomcat instance to
join a cluster in order to hijack session information.

Is there any way to restrict autodiscovery of cluster membership to a
known list of IPs or disable auto discovery alltogether?

Thanks,

Ryan

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Clusters - Disabling or restricting autodiscovery (security question)

[ryan boyd <ry...@gmail.com>]

When using tomcat clusters on an untrusted subnet or using a routable
multicast address, i see the potential for a rogue tomcat instance to
join a cluster in order to hijack session information.  This doesn't
seem to be cured
by any firewalling of incoming connections to the valid servers, as,
from what i have
read, the valid servers will conect to the rogue sever on the
address/port specified
by the rogue server's multicast transmission and will transfer session
data to it.

If this isn't correct, I'd be grateful for an explanation.  If this is
correct, Is there any way to restrict autodiscovery of cluster
membership to a
known list of IPs or disable auto discovery alltogether?

Thanks,

Ryan

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org