On 26/06/2020 00:15, jonmcalexan...@wellsfargo.com.INVALID wrote: > I have a developer that is asking WHY the following policies were set to read > only. The Change Log doesn't illuminate why. > > // The cookie code needs these. > permission java.util.PropertyPermission > "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read"; > permission java.util.PropertyPermission > "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read"; > permission java.util.PropertyPermission > "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", > "read"; > > Any information I can share with her?
Those permissions were removed, not set to read only, for 9.0.9 onwards. It was the result of a refactoring: https://github.com/apache/tomcat/commit/6ceb931e1aac0355e0980d09814559f24406a14a I made the change but it was 2 years ago. I don't recall the motivation off-hand. /me heads off to look at the archives... ..and that is why we have the archives. It appears to stem from this issue: https://bz.apache.org/bugzilla/show_bug.cgi?id=43925 The fix for that issue led to this: https://tomcat.markmail.org/thread/mab6jbyb57phslwk Rather than add a permission, the code was refactored so the additional permission (and some of the existing permissions) were no longer required. It isn't documented, but I strongly suspect that got me looking at other permissions which led to the refactoring that allowed the removal of the cookie permissions. The general principle behind all of this being the fewer explicit permissions you need to give to applications the better. HTH, Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
