-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bill,
On 12/8/11 7:33 PM, Bill Wang wrote: > Thanks to all for the explanation. > > I have a new question regarding the admin role. > > With default setup, if I login as admin, I can start,stop, undeploy > and deploy the application. Now, because the admin password has > been shared by team, and I can't not share it with team. Why not use a more elaborate user database that lets you manage lots of users? There's no need to have shared passwords. > So I plan to disable undeploy and deploy function from the web > admin URL for the admin account. If anyone need deploy new version, > they have to login the Unix box to do it manually. With that I can > trace and have records easily. Ok. I would argue that letting people log into a web-based UI to do restarts, etc. is safer than giving them shell access, but that's your business. > So I edit the file webapps/manager/WEB-INF/web.xml, and remove all > the xml sessions for remove, install, undeploy, deploy and save. > But after I restart the tomcat server, *I still can deploy and > undeploy*. I suspect you only removed the <security-constraint> sections: that will open those operations to anyone who knows those URLs, which is obviously not what you want. If you have changed the admin password so nobody else knows it and you will require them to login to a shell, then why do you have to modify the manager configuration at all? > Below are the lines I remove from the web.xml file. > > <servlet-mapping> <servlet-name>Manager</servlet-name> > <url-pattern>/install</url-pattern> </servlet-mapping> Are you sure you removed those lines? If you *have* removed them, then you haven't properly re-deployed the webapp. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7mTykACgkQ9CaO5/Lv0PBiZQCfZkqMvu6AJeiXvhK+S4EPMdiI PAcAnRt68Ybufzp12ZPODvvbnzbJifmu =i/JX -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org