cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Mazzocchi <stef...@apache.org>
Subject Re: XSP and file:// <-- Security issues?
Date Tue, 28 Mar 2000 12:57:31 GMT
"Stevenson, Chris (SSABSA)" wrote:
> 
> > "Stevenson, Chris (SSABSA)" wrote:
> > > For example: suppose I am an ISP wanting to run Apache and
> > > make tomcat available for my clients to run their own webapps.
> > >
> > > They can drop their apps into a public_webapp directory, and
> > > tomcat automatically loads them.
> 
> > Right.  This is standard security stuff and not really Cocoon
> > related.
> > If you do somethign stupid like running Cocoon as root this will
> > happen.  Run it as a regular user.  Then tighten down security.
> 
> Sure, but typically the cocoon user will have rights to all the
> public_webapp directories, and this means that a malicious user
> could access other users stored data if all webapps run in the
> one JVM - and I don't think a separate JVM for each user would
> be desirable or possible in the above situation.
> 
> Can java security be used in this situation? you would need
> to be using different policies based on each webapp ...

I believe Tomcat will address this. Sam, what's the status on security
for Tomcat?
 
> I am just playing devil's advocate here, but I think the
> question needs to be asked.

Totally.

-- 
Stefano Mazzocchi      One must still have chaos in oneself to be
                          able to give birth to a dancing star.
<stefano@apache.org>                             Friedrich Nietzsche
--------------------------------------------------------------------
 Missed us in Orlando? Make it up with ApacheCON Europe in London!
------------------------- http://ApacheCon.Com ---------------------



Mime
View raw message