[xwiki-users] XWiki (with Tomcat/MySQL) security

Hello, 1. I am wondering if any users running XWiki on Tomcat 5.5 have set up a SecurityManager policy. The documentation isn't really clear on this, other than "it's an issue" that may not be resolved. The one "comment" on XWiki.org that has a security policy is close but not quite clear. I couldn't figure out the part about Log4J. - is a policy necessary? - without one, are there any inherent security risks using XWiki/Tomcat "out of the box"? - what about Tomcat's default "users" and "roles"? 2. Are there any security risks using the default "xwiki" installation location in webapps? ie. if it's there and someone realizes you're running XWiki, couldn't they then direct their attacks specifically at MySQL / Tomcat / XWiki, looking for holes? I tried installing the WAR to a different location, and failed miserably. Does it matter? 3. Is anyone using XWiki over SSL? Anything special we need to do for that, other than getting a certificate? As you can tell, I'm not familiar with Tomcat and not a security guru. I'm just the one who has to make sure our setup "out of the box" is secure against exploits. We're running on Ubuntu, with MySQL. Yes, the server will be behind a firewall, and the MySQL passwords have been changed. I think what would help in the online documentation is a "security checklist" that rounds up all the various bits that I found on various pages. Thanks, Trevor