15 Aug
2009
15 Aug
'09
10:22 a.m.
On Aug 15, 2009, at 8:48 AM, [Ricardo Rodriguez] Your EPEC Network ICT
Team wrote:
Hi,
Trevor wrote:
I have no idea... :) This page was written by Ludovic a very long time
ago (end 2006). However I think you can configure XWiki to run over
SSL. At least I know that it's handled at some places in the code. But
I don't know much about this.
Thanks
-Vincent
Hello,
1. I am wondering if any users running XWiki on Tomcat 5.5 have set
up a SecurityManager policy. The documentation isn't really clear
on this, other than "it's an issue" that may not be resolved. The
one "comment" on XWiki.org that has a security policy is close but
not quite clear. I couldn't figure out the part about Log4J.
- is a policy necessary?
- without one, are there any inherent security risks using XWiki/
Tomcat "out of the box"?
- what about Tomcat's default "users" and "roles"?
2. Are there any security risks using the default "xwiki"
installation location in webapps? ie. if it's there and someone
realizes you're running XWiki, couldn't they then direct their
attacks specifically at MySQL / Tomcat / XWiki, looking for holes?
I tried installing the WAR to a different location, and failed
miserably. Does it matter?
3. Is anyone using XWiki over SSL? Anything special we need to do
for that, other than getting a certificate?
Concerning this, please, Vincent, is this entry still valid?
http://www.xwiki.org/xwiki/bin/view/FAQ/HowDoIAddASecureSignonPage