chris derham wrote:
Maybe the first question should be : why do you want to run this with the
Security Manager ?
As far as I understand this, the SM only really helps, if otherwise unsecure
applications can be deployed within your JVM. Is that the case, or do you
know and control all the applications from the start ?
Isn't it more like a dog and a muzzle? In theory if you know the dog
and it is always friendly, there is no need to use one. However if all
dogs wore muzzles, there would be less dog attacks.
IMHO security in depth is about making things harder for the bad guys.
Adding a security manager should do this, if it is configured
correctly. BTW I am not saying that I actually do this, just that I
think that everyone should to make it harder for when the bad guys
break into your app
I agree in the principle.
It's just that - as the OP's problem illustrates - running with SM enabled is a p.i.t.a.,
because 1) it certainly must have an overhead and 2) to do it right, it forces one to
really know what every application is doing that matters to the SM. (There isn't really
any point in enabling the SM, and then giving every application the "AllPermissions"
permission.)
Security-wise, that is not a bad thing certainly. At least it forces you to know what
these things are really doing. But it is time-consuming, to say the least.
Anyway, it looks like the OP doesn't really have a choice.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
