Costin Manolache wrote:
Jeanfrancois Arcand wrote:It will work if, in their classloader implementation, they call securityManager.checkPackageDefinition(...). The current J2EE 1.4 RI doesn't., and most of the EE implementation doesn't because of the Security Manager performance hit.
I'll remove stuff in the Cluster API, modify some of the sessionNo security problems if we kept the current package protection
classes to allow extending them in a different package, and everything
in the core is then independent of the clustering.
mechanism. Making those classes "public" can be dangerous if the package
protection is not enabled.
That depends on the class loader - if tomcat is embedded in something else ( like J2EE or some other app ) I'm not sure how it'll protect this.
What do you do when its -20 celcius? ;-) Try to find something to "warm" yourself :-)
Also, a number of classes are public because they are intended to be used, and a number of security problems may happen ( as we learned ) even if the
class is not accessible ( like the recent web.xml entity issues ).
Does that implies re-writting the current set of classloader? It mightBloat is not about MB or storage. It's about code complexity, potentialOk. All distributions need to be thought as secure, though.
security, etc.
be a good time to revisit classloader and security :-)
Do you have so much free time :-) ? I'm +1 BTW.
I was under the impression Remy was having a proposal for the classloader stuff. (IMBW). Once I have a clear understanding on all the hooks (inclusing Axis/Apache), I would certainly work on his proposal :-)
-- Jeanfrancois
If we reach consensus on JMX - it may be a good idea to use its class loading mechanism, or something very close - the model in theory is very good. You have full control ( using mlet tags or API ) over
the class loaders and hierarchy.
I'll send a separate mail with a VOTE subject.+1 for JMX (as there's MX4J); as well as JNDI, BTW.+1
Costin
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
