cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stevenson, Chris (SSABSA)" <>
Subject RE: XSP and file:// <-- Security issues?
Date Tue, 28 Mar 2000 00:05:10 GMT
> "Stevenson, Chris (SSABSA)" wrote:
> > For example: suppose I am an ISP wanting to run Apache and
> > make tomcat available for my clients to run their own webapps.
> > 
> > They can drop their apps into a public_webapp directory, and
> > tomcat automatically loads them.

> Right.  This is standard security stuff and not really Cocoon 
> related. 
> If you do somethign stupid like running Cocoon as root this will
> happen.  Run it as a regular user.  Then tighten down security.

Sure, but typically the cocoon user will have rights to all the 
public_webapp directories, and this means that a malicious user
could access other users stored data if all webapps run in the
one JVM - and I don't think a separate JVM for each user would
be desirable or possible in the above situation.

Can java security be used in this situation? you would need 
to be using different policies based on each webapp ...

I am just playing devil's advocate here, but I think the 
question needs to be asked.


-- Chris Stevenson ----------------------- SSABSA --
Senior Secondary Assessment Board of South Australia
60 Greenhill Road, Wayville SA 5034, Australia
phone: (08) 8372 7515
  fax: (08) 8372 7590

View raw message