tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@voyager.apg.more.net>
Subject Re: [PROPOSAL] New build targets for Tomcat
Date Sat, 22 Jul 2000 00:08:39 GMT
-1 on providing separate builds of tomcat

I thought Tomcat was supposed to be the reference implementation
for the latest servlet _and_ jsp specs.

I don't see where Jasper is inherently any less secure than
the core of Tomcat.

Looking at bugtraq I only found two things referenced.

source.jsp 
  simple just remove it, a servlet installed by default could just
  as easily been the source of a 'security' problem.

/admin context
  configure something in web.xml so the default install prevents
  access, then provide instructions on how to configure and admin
  role.  This isn't related to Jasper at all.

Were there any others?

Tomcat 3.2 does have a good start to the answer of security for 
both servlets AND jsp, the ability to use the Jave SecurityManager
to implement a security policy configured in tomcat.policy.

Glenn



Jon Stevens wrote:
> 
> Hey all,
> 
> Definitions:
> Tomcat - Servlet Engine
> Jasper - JSP Engine
> 
> These recent security advisories on Bugtraq have me a bit worried. I'm
> worried that because of Jasper, people will view Tomcat as being insecure
> when it really is not Tomcat's fault. Essentially the crux of the advisories
> is that the implementation of JSP that comes with Tomcat is somewhat
> security hole prone, we are now up to 3 or 4 security advisories for Jasper,
> and zero for Tomcat itself.
> 
> What I would like to do is simply be able to provide people with the ability
> to create a copy of Tomcat that does not have *any* support for JSP within
> it. This way, people who do not care to use JSP (like myself) can feel
> secure that any hole in Jasper will not compromise my server in any way. I
> am ok with the default continuing to be a distribution of Jasper+Tomcat. My
> goal here is simply providing options, not removing existing functionality.
> 
> I think that this can be done fairly easily with more defined targets in the
> Ant build scripts.
> 
> My proposal would be to break things up like this:
> 
> Build only the necessary files for Tomcat itself:
> <target name="compile-tomcat">
> 
> Build only the necessary files for JSP:
> <target name="compile-jsp">
> 
> Package Tomcat for distribution sans JSP:
> <target name="package-tomcat">
> 
> Package Tomcat for distribution with JSP:
> <target name="package-tomcat-jsp">
> 
> The current "webapps" target would also be split up:
> <target name="webapps-servlets">
> <target name="webapps-jsp">
> 
> Comments?
> 
> -jon
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

Mime
View raw message