[EMAIL PROTECTED] wrote:
>
> On Sat, 23 Jun 2001, Glenn Nielsen wrote:
>
> > > I believe there are important security issues, but I'm sure the spec took
> > > this into consideration - so probably I'm wrong ( of course, this will be
> > > easy to verify later on, there are quite a few ways someone could try to
> > > exploit a reversed order - but again I'm sure this was taken care of and
> > > it'll be just the fun of trying :-).
> > >
> >
> > Yes there are security issues related to the Servlet 2.3 spec webapp CL.
> > Fortunately, the Java SecurityManager can protect you if you use
> > checkPackageDefinition() in the CL. This can prevent a Servlet 2.3 webapp
> > CL from redefining system or other sensitive classes.
>
> That's only part of the problem and only part of the solution :-) I'm not
> going to argue to much about this - the archives of tomcat-dev are
> available, no need to repeat :-)
>
Are you refering to class loading security, or class loading in general?
> It all depends on how you define 'sensitive classes' - what is not
> sensitive and how you decide so ? It's turning the problem around, from
> "don't trust anything" to "don't trust specific things" - and that's
> considered dangerous by some other people.
>
Thats the beauty of the Java SecurityManager. As Craig mentioned,
certain packages are automatically restricted from being defined or
accessed by a webapp in Tomcat 4.
But if the system administrator for Tomcat 4 decides they want to
restrict definition or access to other packages, all they need to do
is edit their $JAVA_HOME/jre/lib/java.security properties file.
Then grant those permissions as needed in the policy file to any
trusted webapps that may need them. By default, webapps would not
have privileges to define and/or access those packages unless you
explicitely granted them.
Requiring use of the Java SecurityManager with Tomcat 4 has been
discussed. I don't recall if a decision was reached on that.
Regards,
Glenn
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
