tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Costin Manolache <cos...@costin.dnt.ro>
Subject Re: Using SecurityManager to set JSP execution security policy
Date Thu, 20 Apr 2000 03:56:22 GMT
Policy-based security doesn't work yet - there are some special changes that
need to be done in the AdaptiveClassLoader ( to allow the JVM access to the code
source ).

It is on the todo list, and I'll do it if  nobody else has the time/will to implement
it, but
please don't expect too much - we'll  need a lot of review, security can't be done in
few weeks.

Costin


Glenn Nielsen wrote:

> Hi,
>
> I haven't installed Tomcat yet but I grepped through the code and found
> that the AdapativeClassLoader class uses the Security Manager.  Does that
> mean that it is possible to implement a security policy for execution of
> JSP in the JVM java.policy file?
>
> Something like this?
>
> grant CODEBASE="file:/some/path/to/tomcat/work/*" {
>    // permissions
> };
>
> If very restrictive permissions were set, would that cause the servlet
> which is generated from the JSP to generate a SecurityException when
> it is run?  (I did a grep for Priveleged and did not find anything)
>
> If the JSP were able to run, then for any beans or tag libraries installed
> on the server which used classes/methods that would generate a SecurityException
> could have the code surrounded by beginPriveleged()/endPriveleged()?
>
> We are very interested in pushing out to over 500 web publishers (non programmers)
> the ability to publish dynamic content using JSP 1.1 by solely using beans
> and/or tag libraries.  Not being able to implement Security for JSP is
> a show stopper for us.
>
> Regards,
>
> Glenn
>
> ----------------------------------------------------------------------
> Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
> MOREnet System Programming               |  * if iz ina coment.      |
> Missouri Research and Education Network  |  */                       |
> ----------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message