Hi,
testing package protection, I have come to the following conclusion:
Packages that we can protect against access
----------------------------------------------
o.a.catalina
o.a.jasper
o.a.jsp
o.a.jk
Packages that we can protect against definition
----------------------------------------------
o.a.catalina
o.a.jasper
o.a.jsp
o.a.jk
o.a.coyote
Package that could be protected, but need to change:
-------------------------------------------------------
o.a.naming
o.a.coyote
o.a.tomcat.util
If we decide to fully protect o.a.coyote, that means that every calls to
CoyoteRequestFacade and CoyoteResponseFacade will need to runs under a
doPrivilege blocks (every call that use o.a.tomcat.util). Then
o.a.tomcat.util could be protected (only if o.a.coyote is).
I made a wrong recommendation last week when I said that o.a.coyote can
be protected (rule #1 test using the jakarta workspace, not with your
local workspace). Testing with basic servlet prove me the contrary (see
4.1.13 release notes....guilty!). I've committed in both Tomcat 4 and 5
the proper protection configuration.
I would like to have recommendations based on which package should be
protected. Based on the list I will audit package that stay unprotected.
Thanks,
-- Jeanfrancois
--
To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>
- Re: Package Protection: which one? Jean-Francois Arcand
- Re: Package Protection: which one? Remy Maucherat
- Re: Package Protection: which one? Jean-Francois Arcand
- Re: Package Protection: which one? Eddie Ruvinsky
