"kazukin6" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>
> Plz Help !!
> Is it possible to disable all java code execution within jsp page (by
> security manager or something)
> but allow custom tags to be executed?
There isn't anything that can't be worked around. But putting:
<jsp-config>
<jsp-property-group>
<url-pattern>*.jsp</url-pattern>
<scripting-invalid>true</scripting-invalid>
</jsp-property-group>
</jsp-config>
in $CATALINA_HOME/conf/web.xml means that you can prove that they went out
of their way to break the rules. This is section 3.3.3 of the JSP-2.1 spec.
If they put the corresponding fragment in their webapp's web.xml but with
<scripting-invalid>false</scripting-invalid> then Tomcat will allow
scripting (user web.xml overrides global web.xml). Also, since it is a
translation-time error, it won't work if they deploy pre-compiled JSP pages.
Using a SecurityManager just limits what they can do (e.g. <%
System.exit(0); %> throws an exception).
>
> The problem is that the users can change jsp files, and due to security
> reasons we can allow them to use only tags
> --
> View this message in context:
> http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19415053.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
