On Aug 15, 2009, at 8:48 AM, [Ricardo Rodriguez] Your EPEC Network ICT Team wrote:
> Hi, > > Trevor wrote: >> Hello, >> >> 1. I am wondering if any users running XWiki on Tomcat 5.5 have set >> up a SecurityManager policy. The documentation isn't really clear >> on this, other than "it's an issue" that may not be resolved. The >> one "comment" on XWiki.org that has a security policy is close but >> not quite clear. I couldn't figure out the part about Log4J. >> >> - is a policy necessary? >> - without one, are there any inherent security risks using XWiki/ >> Tomcat "out of the box"? >> - what about Tomcat's default "users" and "roles"? >> >> 2. Are there any security risks using the default "xwiki" >> installation location in webapps? ie. if it's there and someone >> realizes you're running XWiki, couldn't they then direct their >> attacks specifically at MySQL / Tomcat / XWiki, looking for holes? >> I tried installing the WAR to a different location, and failed >> miserably. Does it matter? >> >> 3. Is anyone using XWiki over SSL? Anything special we need to do >> for that, other than getting a certificate? > > Concerning this, please, Vincent, is this entry still valid? > > http://www.xwiki.org/xwiki/bin/view/FAQ/HowDoIAddASecureSignonPage I have no idea... :) This page was written by Ludovic a very long time ago (end 2006). However I think you can configure XWiki to run over SSL. At least I know that it's handled at some places in the code. But I don't know much about this. Thanks -Vincent _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users