Jeanfrancois Arcand wrote:
Costin Manolache wrote:
Jon Scott Stevens wrote:
I wonder if one could use these techniques to hack a servlet engine
somehow
and get from one context to another (assuming you had access to run
servlets
in it...ie: shared hosting)...
http://www.javaspecialists.co.za/archive/Issue014.html
-jon
Interesting - but it won't work if the security manager is enabled.
If the security manager is disabled ( as it is in 99% of the cases ) -
there is no protection at all, if you can run servlets - you can do
anything a C program can. Just load a JNI library and then control the
VM at the low level, and access/modify anything that tomcat user can.
It may be a good idea if 5.0 would have the secure mode as default.
Users will complain their apps won't work and tomcat will be a bit
slower - but if this raises their awarness on security and maybe they
fix some of the webapps to work in the sandbox, then it's worth it.
Restoring the current mode can be easy - like adding a "-insecure"
option or some TOMCAT_INSECURE env :-)
+1 And I'm sure that for the majority of Tomcat user, the performance
hit will not be so high.
-- Jeanfrancois
+1 In my testing I found that the SecurityManager added 7% overhead.
For me security is well worth the 7%.
The sandbox is IMHO the biggest benefit of Java over all other
languages ( including .net - I know they have similar concept, but I
don't think it matches the JVM ).
Hear, hear. That is what got me involved with Tomcat.
Glenn
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
