jakarta-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Duncan Davidson <dun...@x180.com>
Subject Re: R: Java1.1 or Java2?
Date Fri, 09 Jul 1999 08:01:45 GMT

> I really hope Tomcat will be able to implement that internal servlet
> sandboxing that every ISP is asking for since JServ came out with the
> "servlet zone" idea.

I'd expect elements of the zones should stay with.. 

> I still think the Java security model is not powerful enough for ISP to
> feel completely safe against untrusted servlet execution (no quota support,
> no time-limited execution since stop() is deprecated and may create JVM
> instability, etc.).

If each web app (er, zone) were a separate VM, some of this can be
stolen back.

> but it could reach the point where different ISP clients
> are not able to sniff each other's data and this is good enough for most of
> them (since they will probably end up asking for the source code or
> decompile them if something goes wrong)

Yep, part of the impetus behind some of the spec decisions we've been
making.

> Anyway, servlet sandboxing is _NOT_ a trivial thing to do and I wish Sun's
> security experts could jump in and help us a little with this.

Working on it. We'll see.

-- 
James Davidson       
<duncan@eng.sun.com>            http://java.sun.com/products/servlet
<duncan@x180.com>                                http://www.x180.com
!try; do()                                            PGP:0x7D776205

Mime
View raw message