Thank you for your reply. On Thu, Nov 5, 2009 at 12:29 PM, Tobias Crefeld <t...@cataneo.eu> wrote:
> Am Thu, 5 Nov 2009 11:04:06 +0000 > schrieb Anurag Kapur <anuragka...@gmail.com>: > > > 1. Why is it considered that the manager webapp should not be > > deployed on production environments? Am I just believing a rumour > > here or does it actually impose any security risks? > > With "manager" you only need a credential to control the whole > application server which possibly could be evaluated by social > engineering. There are already some bots in the web that test the > default credentials of early manager installations automatically. > > It is always better to use 2 or 3 barriers. For example you could setup > a filter that some IP-addresses from management systems only could get > access to /manager/. > Ok. I know putting the manager app behind 2-3 barriers is better than leaving it in the hands of basic tomcat authentication. But again, this method is *better* and not foolproof. Thus we want to get rid of the manager application completely. > Separating JMX Proxy from manager won't be very helpful because JMX > Proxy itself is offering control over tomcat. And it needs direct > access to MBeans of Tomcat's JVM. > My Understanding: Even if an attacker gets access to the jmx proxy servelt, it would not pose the same risk as access to the manager application would. With the proxy servlet you can only query the MBeans and get information about the state of the container. However, with access to manager application, you can potentially reload/start/stop contexts which is a big risk. Am I correct with this understanding? > > RU, > Tobias. Does any one else have any other views on this topic? Your inputs/suggestions would be highly appreciated. Thanks Anurag
