tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@voyager.apg.more.net>
Subject Using SecurityManager to set JSP execution security policy
Date Thu, 20 Apr 2000 03:33:01 GMT
Hi,

I haven't installed Tomcat yet but I grepped through the code and found
that the AdapativeClassLoader class uses the Security Manager.  Does that
mean that it is possible to implement a security policy for execution of
JSP in the JVM java.policy file?

Something like this?

grant CODEBASE="file:/some/path/to/tomcat/work/*" {
   // permissions
};

If very restrictive permissions were set, would that cause the servlet
which is generated from the JSP to generate a SecurityException when
it is run?  (I did a grep for Priveleged and did not find anything)

If the JSP were able to run, then for any beans or tag libraries installed
on the server which used classes/methods that would generate a SecurityException
could have the code surrounded by beginPriveleged()/endPriveleged()?

We are very interested in pushing out to over 500 web publishers (non programmers)
the ability to publish dynamic content using JSP 1.1 by solely using beans
and/or tag libraries.  Not being able to implement Security for JSP is
a show stopper for us.

Regards,

Glenn

----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

Mime
View raw message