Jon Stevens wrote:
>
> on 5/17/01 6:46 AM, "Dennis Doubleday" <[EMAIL PROTECTED]> wrote:
>
> > At 08:35 PM 5/16/01, Jon wrote:
> >
> >> Also, there is a reason for the #foreach...
> >>
> >> <http://jakarta.apache.org/velocity/ymtd/ymtd-hosting.html>
> >
> > Jon,
> >
> > I agree with most of your points. I am a new Velocity user and I am very
> > impressed by its combination of power and simplicity. Reading/writing XSLT
> > specs is an exercise in masochism.
> >
> > However, I don't see how Velocity is really avoiding the fundamental
> > problem described in the document you referenced. If you are an ISP hosting
> > Velocity-based pages, you are certainly going to have to let that 14 year
> > old kid install both templates and class files; templates by themselves
> > won't accomplish much. So the incompetent or malicious client can easily
> > make the same mistake in his Command class that he would have made in the
> > JSP page, and therefore also create a DOS attack on all servlets hosted in
> > that JVM. No?
>
> Controlling what goes into the Context is key.
>
> There is nothing stating that you have to give the 14 year old access to
> creating .java files. Instead, the alternative approach is to place certain
> objects within the Context which allow the 14 year old to do a limited set
> of actions. This follows along with the Pull Model:
>
> <http://jakarta.apache.org/turbine/pullmodel.html>
>
> This is the approach that Tea <http://opensource.go.com/> uses as well as
> the general idea behind taglibs. The problem with taglibs is that there is
> no restriction on the ability to put Java code in the page. It is part of
> the JSP specification to be able to do that. Sure, you can disable it (as
> Costin said), but then you are breaking the JSP specification. And I know
> how important "standards" are to everyone...
>
But now that both Tomcat 3.2 and Tomcat 4 support the Java SecurityManager
you can control security at the container level regardless of whether someone
is using the CFM servlet, velocity, CoCoon, JSP, etc.
> -jon
>
> --
> If you come from a Perl or PHP background, JSP is a way to take
> your pain to new levels. --Anonymous
> <http://jakarta.apache.org/velocity/ymtd/ymtd.html>
--
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
