I have a feeling that it's a general problem with servlet containers. It's
not in the spec (well, I don't remember exatctly...) so every container
implementation can choose what to do. What it means is that there's no way
to create a container neutral application if one wants to use Java security
mechanisms.
--V.
-----Original Message-----
From: Glenn Nielsen [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 09, 2001 10:13 AM
To: [EMAIL PROTECTED]
Subject: Re: webapp classloader ProtectionDomain (running secured
tomcat)
This is true form tomcat 3.x, but not for Tomcat 4.
Tomcat 4 allows setting of different policies for different
locations within a webapp.
Regards,
Glenn
Vladimir Grishchenko wrote:
>
> Hi there,
> I've posted the message below to tomcat-user but it didn't get much
> attention. Is any work being done to address this?
>
> Thanks,
> --V.
>
> ------------------------------------------------
> Hi all,
>
> It seems that webapp classloader puts all classes loaded from
> a webapp directory into the same ProtectionDomain regardless
> of the location where the class was loaded from (like classes
> dir or a jar file). It means that any security grant entry granting
> permssions to a webapp codesource effectively grants the same set
> of permissions to each and every class in web application. This
> is probably fine in most cases but leaves no possibility to fine
> tune security within web-application. My particular problem is
> that I'm trying to use JAAS to enable access control with custom
> JAAS policy implementation. CodeSOurce partitioning that Sun
> suggests requires that the code sensitive to user-based
> operations shoud be put into separate ProtectionDomain for JAAS
> mechanisms to work. The only way to do this with Tomcat is to put
> classes someplace out of webapp directory, so they don't inherit
> any permissions assigned to webapp ProtectionDomain. I think that
> webapp class loader should put classes loaded from class directory
> and every jar file into diffrent protection domains, like class
> loaders that load classes from the system classpath in Java.
>
> Well, if all that makes any sense to you may be there's something
> I'm missing here?
> Just wanted to get other people's opinions...
>
> --Vlad.
>
> ***********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. Any unauthorized review, use, disclosure or distribution
> is prohibited. If you are not the intended recipient, please contact
> the sender by reply e-mail and destroy all copies of the original
> message.
> ***********************************************************************
--
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
