Edmund Urbani wrote:
Vaclav Kaspar wrote:
I want to prevent these example situations
user user1 have in his jsp script something like
FileWriter fw = new FileWriter("/home/USER2/somefile");
fw.write("blablabla");
fw.close();
or
File f = new File(/home/USER2/);
String[] files =File.list();
FileReader fr = new FileReader(files[0]);
fr.read() ....
now these cases are possible because JSP runs in user Tomcat5 and if i
want allow users JSP scripts to manipulate with IO I have to grant right
to their homes to Tomcat
I already know the posibility to use Peter's solution with multiple
Tomcat's, but for hosting more then 100 domains I aware a big useless
load of the server, and complicated starting of Tomcat's.
I recommend taking a look at the catalina.policy file. You can set all
sorts of permissions for tomcat and the individual webapps in the policy
(not sure how one would set permissions for individual JSPs though).
To enable it add the -security parameter when launching tomcat. Simply
enabling the security manager is rather likely to break existing web
applications. You will probably have to add the permissions they need to
make them usable again.
Edmund
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Thanks Edmund it seems to be the solution I was looking for.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
