tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Janco Tanis <servl...@coas.com>
Subject Re: ClassLoaders
Date Thu, 20 Jul 2000 21:25:12 GMT


"Craig R. McClanahan" wrote:

>
> A couple of ideas (that are already implemented in the Catalina class loader)
> are worth thinking about:
>
> * "Restricted" classes:  the class loader refuses to load
>   these classes at all  [org.apache.tomcat.*].  The intent
>   is to prevent a "bad guy" servlet from being able to cast
>   the HttpServletRequest and HttpServletResponse objects
>   passed to the service() method to their internal Tomcat
>   equivalents, and get into mischief.
>

I would guess that you need at least a SecurityManager to protect introspection of
you internal classes and invoking methods on them using the reflection package ?

janco





Mime
View raw message