kbar wrote:
... as disabling the security I guess is not such a great idea once
the site goes into production.
Do not take my word for this, as I am far from the Java expert.
As far as I can understand it however, the Java security manager, in the
case of Tomcat, is there mainly to protect you from yourself, unless you
are allowing other people to upload webapps to your server.
When enabled, the JVM establishes kind of a "sandbox" around your
classes, the basic idea being that everything that is not explicitly
allowed, is forbidden.
When it is in force, you have to give your webapp classes explicit
permissions to access the filesystem, the network, the system properties
etc..
It does not have much to do with the protection of your server against
unauthorised Internet access by miscreants.
Unless such miscreants are able to load their own webapps in your
server, in which case I would presume they might also be smart enough to
modify your catalina.policy files anyway, and give their classes all the
permissions they want.
I also presume that running with the security manager enabled, has a
cost in terms of efficiency. So your webapps will probably run faster
without it.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
