• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JBoss/Tomcat Status

 
John Boss
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I asked this in Security but didn't get a response. Perhaps
it's more appropriate for the JBoss discussion forum.

How important is it to secure the JBoss/Tomcat Status page?
The question is related to this type of system design which
doesn't require login authentication.

An application handles secret URLs with a unique key e.g.
domain.com/show.do?key=0123456789ABCDEF

This page will allow access to a secret hosted file:
domain.com/files/0123456789ABCDEF.ext

The idea is that users could then safely e-mail the URL.
A recipient would click the URL (which has the key) and it
would render the file by sending a HTTP GET request for it.

What are the implications of having the status page available.
Would there be a slight security risk of someone seeing the
GET request on this page and getting access to the content?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic