-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Analia,
On 10/23/13 4:29 AM, ANALIA DE PEDRO SANTAMARIA wrote: > Thank you very much for the answers. What I'm trying to do is block > the execution of certain privileges in certain web applications > (I'm working in a security model). One way of approaching this is > to avoid loading certain Java libraries. So what I want to do is > set up Tomcat (or the Security Manager) so that I can restrict what > Java classes one web application can use. When you say "Java classes", are you talking about re-defining something like java.lang.String? If so, then the servlet spec (3.0: 10.7.2) prohibits web applications from loading classes from any of these packages from a web application class loader. java.* javax.* Looking at current trunk, Tomcat appears to take a lazy view and just look for these two classes: javax.servlet.Servlet javax.el.Expression So it looks like you might be able to redefine java.lang.String if you want. My analysis may be wrong -- there is a lot of code in there, but from what I see in WebappClassLoader, I think there might be a spec violation there. > And I have to set up this in each application, because not all the > web applications have the same permissions. AFAIK, you can't enable per-application security permissions without writing your own SecurityManager. Had Sun decided that SecurityManager instances could be tied to ClassLoaders and manage the classes loaded by them, I think things would have been much better all around. Anyhow, what kinds of permissions do you want to grant to (or revoke from) your web applications? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSZ+p1AAoJEBzwKT+lPKRY2c4QAKZ6T6LRKKF7PHD1s+l9+d+z hrYabTmH0/xdma/j0iwgYYhnpaTb9nMMPBWQW0HriPAhj5ZiuhXpCE3vjTIduCO6 YPPYXukZM74bGFrwZL3BDZczRlpxWIDRHILIMGgs6vje4197zJClAjkxynDlpXHW YdMzE/4dhdFij5WbI3jntjxzpgSsRmyj03l7dyKG50UzVwMRyJk+G0aXm9Xx4mOk CGDbo9AwJN/EmI9AJi0yMSbcskFYKHr+wTlJBfv30uEDE9v9v9qD+7hXKMBFCmjy QrYyOXowGRUbXcaQcHMWt6oYrw6iSvdH0V0ou4nIO4NJGLuuatNVoNbvbqbHmoUk 3VebP98o1xKX9z1qUDQgXTbS1uQDyJEWbCPptrKdPSIc0dNLMkS3UqhqmAWhy+8t TlIvRpIDIGQ2GQlEkCuoMIqRPCyOVpFMZmeUfEI1GXOOt3lfTl+MLv9o6pPYVama nlK7Rfs5GHuzOWK5SqcxQ/kEKu71V+D77cG56ran5YknRWzMFhJzxdG3yw/UAnMO lj7wSJBHeouiZljTnSKbSDEp55WCeGbHsJh6TFE7SmYYOSSmFAcmVjDOKDXI8gRE I665is4eJFUrbYWxv3OzDHwRVZi7hbHMhV+SdiEA+CL/AjfNNPfMzm8ndyEViyPY lqau1ihPd2jgh0cBEOq5 =WVb9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
