tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jon Stevens <>
Subject [PROPOSAL] New build targets for Tomcat
Date Fri, 21 Jul 2000 20:09:31 GMT
Hey all,

Tomcat - Servlet Engine
Jasper - JSP Engine

These recent security advisories on Bugtraq have me a bit worried. I'm
worried that because of Jasper, people will view Tomcat as being insecure
when it really is not Tomcat's fault. Essentially the crux of the advisories
is that the implementation of JSP that comes with Tomcat is somewhat
security hole prone, we are now up to 3 or 4 security advisories for Jasper,
and zero for Tomcat itself.

What I would like to do is simply be able to provide people with the ability
to create a copy of Tomcat that does not have *any* support for JSP within
it. This way, people who do not care to use JSP (like myself) can feel
secure that any hole in Jasper will not compromise my server in any way. I
am ok with the default continuing to be a distribution of Jasper+Tomcat. My
goal here is simply providing options, not removing existing functionality.

I think that this can be done fairly easily with more defined targets in the
Ant build scripts.

My proposal would be to break things up like this:

Build only the necessary files for Tomcat itself:
<target name="compile-tomcat">

Build only the necessary files for JSP:
<target name="compile-jsp">

Package Tomcat for distribution sans JSP:
<target name="package-tomcat">

Package Tomcat for distribution with JSP:
<target name="package-tomcat-jsp">

The current "webapps" target would also be split up:
<target name="webapps-servlets">
<target name="webapps-jsp">



View raw message