Costin Manolache wrote: > Glenn Nielsen wrote: > > >><ballot> >> [ ] commit XML Policy source to jakarta-tomcat-4.0 HEAD >> and include it in future release of Tomcat 4.1.x >> [X] commit to CVS but don't add to the next release >> [ ] create a Tomcat 4.2 development branch and commit there (Ugh!) >> [ ] -1 Don't commit to CVS (Please explain why) >></ballot> > > > I'm -0 on adding yet another config file - WEB-INF/policy.xml is also > strange as webapps ( which shouldn't be trusted ) get to set the security > policy. This is very tricky - and will need a lot of review. > > However I'm -1 on adding deps on castor and doing schema validations - at > least at this stage ( and after the experience we had with web.xml > schemas ). Castor is very nice, but is also a big thing. > > The current policy file is standard and likely to be understood by tools. > XML may be in theory easier, however I doubt too many tools understand > this particular DTD. So I prefer keeping the current file format as default, > at least until a standard security policy DTD is defined ( standard == > we're not the only ones using it :-). > > If you need this functionality - I would propose making it a separate > module ( sort of add-on to tomcat ), instead of bundling it with tomcat > by default.
I'd commit it as a module for now, and work from there. If we could avoid having to use Castor XML for parsing, that would be nice. I understand your point of adding a new non-standard configuration file. Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
