Re: [xwiki-users] XWiki (with Tomcat/MySQL) security

Hello, 1. I am wondering if any users running XWiki on Tomcat 5.5 have set up a SecurityManager policy. The documentation isn't really clear on this, other than "it's an issue" that may not be resolved. The one "comment" on XWiki.org that has a security policy is close but not quite clear. I couldn't figure out the part about Log4J. - is a policy necessary? - without one, are there any inherent security risks using XWiki/Tomcat "out of the box"? - what about Tomcat's default "users" and "roles"? 2. Are there any security risks using the default "xwiki" installation location in webapps? ie. if it's there and someone realizes you're running XWiki, couldn't they then direct their attacks specifically at MySQL / Tomcat / XWiki, looking for holes? I tried installing the WAR to a different location, and failed miserably. Does it matter? 3. Is anyone using XWiki over SSL? Anything special we need to do for that, other than getting a certificate?