allow="127\.0\.0\.1"/>
</Context>
</pre>
+
+<p>The HTML interface is protected against CSRF but the text and JMX interfaces
+are not. To maintain the CSRF protection:</p>
+
+<ul>
+ <li>users with the <tt>manager-gui</tt> role should not be granted either the
+ <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+ <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+ testing since these interfaces are intended for tools not humans) then the
+ browser must be closed afterwards to terminate the session.</li>
+</ul>
+
</section>
the functionality you wish to access.
</p>
<ul>
- <li><tt>admin</tt> - allows access to the HTML GUI</li>
+ <li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
<li><tt>admin-script</tt> - allows access to the text interface</li>
</ul>
+ <p>
+ The HTML interface is protected against CSRF but the text interface is not.
+ To maintain the CSRF protection:
+ </p>
+ <ul>
+ <li>users with the <tt>admin-gui</tt> role should not be granted the
+ <tt>manager-script</tt> role.</li>
+ <li>if the text interface is accessed through a browser (e.g. for testing
+ since this interfaces is intended for tools not humans) then the browser
+ must be closed afterwards to terminate the session.</li>
+ </ul>
</body>
</html>
<li><tt>admin-gui</tt> - allows access to the HTML GUI</li>
<li><tt>admin-script</tt> - allows access to the text interface</li>
</ul>
+ <p>
+ The HTML interface is protected against CSRF but the text interface is not.
+ To maintain the CSRF protection:
+ </p>
+ <ul>
+ <li>users with the <tt>admin-gui</tt> role should not be granted the
+ <tt>manager-script</tt> role.</li>
+ <li>if the text interface is accessed through a browser (e.g. for testing
+ since this interfaces is intended for tools not humans) then the browser
+ must be closed afterwards to terminate the session.</li>
+ </ul>
</body>
</html>
<li><tt>manager-status</tt> - allows access to the status pages only</li>
</ul>
<p>
+ The HTML interface is protected against CSRF but the text and JMX interfaces
+ are not. To maintain the CSRF protection:
+ </p>
+ <ul>
+ <li>users with the <tt>manager-gui</tt> role should not be granted either
+ the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+ <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+ testing since these interfaces are intended for tools not humans) then
+ the browser must be closed afterwards to terminate the session.</li>
+ </ul>
+ <p>
For more information - please see the
<a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
</p>
<li><tt>manager-status</tt> - allows access to the status pages only</li>
</ul>
<p>
+ The HTML interface is protected against CSRF but the text and JMX interfaces
+ are not. To maintain the CSRF protection:
+ </p>
+ <ul>
+ <li>users with the <tt>manager-gui</tt> role should not be granted either
+ the <tt>manager-script</tt> or <tt>manager-jmx</tt> roles.</li>
+ <li>if the text or jmx interfaces are accessed through a browser (e.g. for
+ testing since these interfaces are intended for tools not humans) then
+ the browser must be closed afterwards to terminate the session.</li>
+ </ul>
+ <p>
For more information - please see the
<a href="/docs/manager-howto.html">Manager App HOW-TO</a>.
</p>
projects / tomcat7.0 / commitdiff