Alban,
> > Move cocoon.xconf to WEB-INF/cocoon.xconf, as in latest > > Cocoon versions. This is a bit more secure location then before. > > I don't quite understand how it helps? You get more secure installation. > Having cocoon.xconf in the cocoon is insecure? Define 'insecure'. > Some explanations > would be greatly appreciated because I need to evaluate the > security issue of cocoon before spending a full development > effort in cocoon. 1. When cocoon.xconf is directly under webapp, security of the cocoon.xconf is highly dependent on (known or not) vulnerabilities of the servlet container. 2. When cocoon.xconf is under WEB-INF, security of the cocoon.xconf is still highly dependent on (known or not) vulnerabilities of the servlet container. But, in this case, Servlet specification (IIRC) explicitly states that these files must not be exposed by the servlet container. I can't explain clearer than this, please refer to servlet spec and your servlet container's security guide. PS I will CC users list, this might be of interest to someone else. Or, someone else may want to express his opinion and/or experience. Vadim -----Original Message----- From: Tsui, Alban [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 02, 2002 9:44 AM To: [EMAIL PROTECTED] Subject: RE: Security in cocoon.xconf? Hi Vadim, The following is your reply to my original email at the forum: > Move cocoon.xconf to WEB-INF/cocoon.xconf, as in latest Cocoon versions. This is a bit more secure location then before. Vadim I don't quite understand how it helps? Having cocoon.xconf in the cocoon is insecure? Some explanations would be greatly appreciated because I need to evaluate the security issue of cocoon before spending a full development effort in cocoon. Thanks in advance. Alban --------------------------------------------------------------------- Please check that your question has not already been answered in the FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> To unsubscribe, e-mail: <[EMAIL PROTECTED]> For additional commands, e-mail: <[EMAIL PROTECTED]>
