Costin Manolache wrote:
+1 And I'm sure that for the majority of Tomcat user, the performance hit will not be so high.Jon Scott Stevens wrote:I wonder if one could use these techniques to hack a servlet engine somehow
and get from one context to another (assuming you had access to run servlets
in it...ie: shared hosting)...
http://www.javaspecialists.co.za/archive/Issue014.html
-jon
Interesting - but it won't work if the security manager is enabled.
If the security manager is disabled ( as it is in 99% of the cases ) - there is no protection at all, if you can run servlets - you can do
anything a C program can. Just load a JNI library and then control the VM at the low level, and access/modify anything that tomcat user can.
It may be a good idea if 5.0 would have the secure mode as default.
Users will complain their apps won't work and tomcat will be a bit
slower - but if this raises their awarness on security and maybe they
fix some of the webapps to work in the sandbox, then it's worth it.
Restoring the current mode can be easy - like adding a "-insecure"
option or some TOMCAT_INSECURE env :-)
-- Jeanfrancois
The sandbox is IMHO the biggest benefit of Java over all other
languages ( including .net - I know they have similar concept, but I don't think it matches the JVM ).
Costin
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
