https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #14 from Konstantin Kolinko <knst.koli...@gmail.com> --- I think that this listener must be mentioned on "security-howto.xml". http://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Listeners It can be configured in any container (e.g. in context.xml) and it will load an arbitrary DLL, and I think that this will be done with only Tomcat code in the call stack. That means that it will run with Tomcat's "java.security.AllPermission" permissions. This is not a problem, as server.xml/context.xml are edited by a trusted administrator. But whoever does a security audit of those files should be aware of this effect. Thus I think this listener should be mentioned. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org