Looking into the Tomcat jars, I noticed the package "org.apache.jk"
isn't blocked... so even with the Security Manager running, I think I am
able to get catalina to load "arbitrary classes" like this,
<%
org.apache.jk.apr.TomcatStarter.mainClasses = new String[]{
"someClass" };
org.apache.jk.apr.TomcatStarter.main(new String[0]);
%>
So, My question is, should we "block" access to package "org.apache.jk"
from webapps?
Cheers,
-bob
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
