Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 76225 invoked from network); 20 Apr 2000 03:54:21 -0000 Received: from adsl-63-198-47-229.dsl.snfc21.pacbell.net (HELO costin.dnt.ro) (63.198.47.229) by locus.apache.org with SMTP; 20 Apr 2000 03:54:21 -0000 Received: from costin.dnt.ro (simona.dnt.ro [192.168.4.2]) by costin.dnt.ro (8.9.3+Sun/8.9.1) with ESMTP id UAA00325 for ; Wed, 19 Apr 2000 20:53:51 -0700 (PDT) Message-ID: <38FE7FE6.192DBE40@costin.dnt.ro> Date: Wed, 19 Apr 2000 20:56:22 -0700 From: Costin Manolache X-Mailer: Mozilla 4.72 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: tomcat-dev@jakarta.apache.org Subject: Re: Using SecurityManager to set JSP execution security policy References: <38FE7A6D.10098CCF@voyager.apg.more.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N Policy-based security doesn't work yet - there are some special changes that need to be done in the AdaptiveClassLoader ( to allow the JVM access to the code source ). It is on the todo list, and I'll do it if nobody else has the time/will to implement it, but please don't expect too much - we'll need a lot of review, security can't be done in few weeks. Costin Glenn Nielsen wrote: > Hi, > > I haven't installed Tomcat yet but I grepped through the code and found > that the AdapativeClassLoader class uses the Security Manager. Does that > mean that it is possible to implement a security policy for execution of > JSP in the JVM java.policy file? > > Something like this? > > grant CODEBASE="file:/some/path/to/tomcat/work/*" { > // permissions > }; > > If very restrictive permissions were set, would that cause the servlet > which is generated from the JSP to generate a SecurityException when > it is run? (I did a grep for Priveleged and did not find anything) > > If the JSP were able to run, then for any beans or tag libraries installed > on the server which used classes/methods that would generate a SecurityException > could have the code surrounded by beginPriveleged()/endPriveleged()? > > We are very interested in pushing out to over 500 web publishers (non programmers) > the ability to publish dynamic content using JSP 1.1 by solely using beans > and/or tag libraries. Not being able to implement Security for JSP is > a show stopper for us. > > Regards, > > Glenn > > ---------------------------------------------------------------------- > Glenn Nielsen glenn@more.net | /* Spelin donut madder | > MOREnet System Programming | * if iz ina coment. | > Missouri Research and Education Network | */ | > ---------------------------------------------------------------------- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org