tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <>
Subject Using SecurityManager to set JSP execution security policy
Date Thu, 20 Apr 2000 03:33:01 GMT

I haven't installed Tomcat yet but I grepped through the code and found
that the AdapativeClassLoader class uses the Security Manager.  Does that
mean that it is possible to implement a security policy for execution of
JSP in the JVM java.policy file?

Something like this?

grant CODEBASE="file:/some/path/to/tomcat/work/*" {
   // permissions

If very restrictive permissions were set, would that cause the servlet
which is generated from the JSP to generate a SecurityException when
it is run?  (I did a grep for Priveleged and did not find anything)

If the JSP were able to run, then for any beans or tag libraries installed
on the server which used classes/methods that would generate a SecurityException
could have the code surrounded by beginPriveleged()/endPriveleged()?

We are very interested in pushing out to over 500 web publishers (non programmers)
the ability to publish dynamic content using JSP 1.1 by solely using beans
and/or tag libraries.  Not being able to implement Security for JSP is
a show stopper for us.



Glenn Nielsen    | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |

View raw message