Alban,
Move cocoon.xconf to WEB-INF/cocoon.xconf, as in latest
Cocoon versions. This is a bit more secure location then before.
I don't quite understand how it helps?
You get more secure installation.
Having cocoon.xconf in the cocoon is insecure?
Define 'insecure'.
Some explanations
would be greatly appreciated because I need to evaluate the
security issue of cocoon before spending a full development
effort in cocoon.
1. When cocoon.xconf is directly under webapp, security of the
cocoon.xconf is highly dependent on (known or not) vulnerabilities of
the servlet container.
2. When cocoon.xconf is under WEB-INF, security of the cocoon.xconf is
still highly dependent on (known or not) vulnerabilities of the servlet
container. But, in this case, Servlet specification (IIRC) explicitly
states that these files must not be exposed by the servlet container.
I can't explain clearer than this, please refer to servlet spec and your
servlet container's security guide.
PS I will CC users list, this might be of interest to someone else. Or,
someone else may want to express his opinion and/or experience.
Vadim
-Original Message-
From: Tsui, Alban [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 02, 2002 9:44 AM
To: [EMAIL PROTECTED]
Subject: RE: Security in cocoon.xconf?
Hi Vadim,
The following is your reply to my original email at the forum:
Move cocoon.xconf to WEB-INF/cocoon.xconf, as in latest Cocoon
versions. This is a bit more secure location then before. Vadim
I don't quite understand how it helps? Having cocoon.xconf in the cocoon
is insecure? Some explanations would be greatly appreciated because I
need to evaluate the security issue of cocoon before spending a full
development effort in cocoon.
Thanks in advance.
Alban
-
Please check that your question has not already been answered in the
FAQ before posting. http://xml.apache.org/cocoon/faq/index.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
