Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 47702 invoked from network); 22 Jul 2000 00:08:02 -0000 Received: from galen.earthdome.org (HELO zathras.earthdome.org) (206.152.117.245) by locus.apache.org with SMTP; 22 Jul 2000 00:08:02 -0000 Received: from voyager.apg.more.net (localhost [127.0.0.1]) by zathras.earthdome.org (8.9.3/8.9.2) with ESMTP id TAA45904 for ; Fri, 21 Jul 2000 19:08:39 -0500 (CDT) (envelope-from glenn@voyager.apg.more.net) Sender: glenn@zathras.earthdome.org Message-ID: <3978E607.40B7B0FB@voyager.apg.more.net> Date: Fri, 21 Jul 2000 19:08:39 -0500 From: Glenn Nielsen X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: tomcat-dev@jakarta.apache.org Subject: Re: [PROPOSAL] New build targets for Tomcat References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N -1 on providing separate builds of tomcat I thought Tomcat was supposed to be the reference implementation for the latest servlet _and_ jsp specs. I don't see where Jasper is inherently any less secure than the core of Tomcat. Looking at bugtraq I only found two things referenced. source.jsp simple just remove it, a servlet installed by default could just as easily been the source of a 'security' problem. /admin context configure something in web.xml so the default install prevents access, then provide instructions on how to configure and admin role. This isn't related to Jasper at all. Were there any others? Tomcat 3.2 does have a good start to the answer of security for both servlets AND jsp, the ability to use the Jave SecurityManager to implement a security policy configured in tomcat.policy. Glenn Jon Stevens wrote: > > Hey all, > > Definitions: > Tomcat - Servlet Engine > Jasper - JSP Engine > > These recent security advisories on Bugtraq have me a bit worried. I'm > worried that because of Jasper, people will view Tomcat as being insecure > when it really is not Tomcat's fault. Essentially the crux of the advisories > is that the implementation of JSP that comes with Tomcat is somewhat > security hole prone, we are now up to 3 or 4 security advisories for Jasper, > and zero for Tomcat itself. > > What I would like to do is simply be able to provide people with the ability > to create a copy of Tomcat that does not have *any* support for JSP within > it. This way, people who do not care to use JSP (like myself) can feel > secure that any hole in Jasper will not compromise my server in any way. I > am ok with the default continuing to be a distribution of Jasper+Tomcat. My > goal here is simply providing options, not removing existing functionality. > > I think that this can be done fairly easily with more defined targets in the > Ant build scripts. > > My proposal would be to break things up like this: > > Build only the necessary files for Tomcat itself: > > > Build only the necessary files for JSP: > > > Package Tomcat for distribution sans JSP: > > > Package Tomcat for distribution with JSP: > > > The current "webapps" target would also be split up: > > > > Comments? > > -jon > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org -- ---------------------------------------------------------------------- Glenn Nielsen glenn@more.net | /* Spelin donut madder | MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | ----------------------------------------------------------------------