tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Costin Manolache <cos...@costin.dnt.ro>
Subject Security: object reuse and webapp separation
Date Thu, 10 Aug 2000 06:29:02 GMT
Hi,

While reviewing the code I found a (possibly serious ) problem with the
current model.

As you know, one goal is to allow webapps to run in a secure (
applet-like ) environment, where 2 different webapps can't interfere
with each other or with the container. This is a key feature for ISPs
and web hosting.

On the other side, reusing req/resp have a huge performance impact as
shown by the 3.1 - 3.2 changes.

The problem: a BadServlet can be written that will first collect a
reference to all active req/resp instances ( for example by using a
Hashtable and storing every distinct HttpServletRequest object it
receives as parameter - if the bad user sends many concurent requests it
will quickly have all pointers in ). After that the bad user can call
the servlet with a special param and get informations about all the
HttpServletRequests. Assuming you have a ShopingWebApp on the server it
would be only a matter of time to catch a lot of informations. ( for
example BadServlet can loop while one of the requests objects have an
interesting parameter - credit card, etc).

I'm working on a solution - but it will involve significant changes. We
can keep reusing the Request/Response objects, but make sure WebApp1
will never get the same  HttpServletRequest instance as WebApp2.

That means the Facades ( which are very light ) can't be associated 1-1
with Request/Response. We can do a limited reuse for Facades, but since
it's a very small object probably it doesn't matter, what's important is
to separate them.

After this, the facade will be associated with a Request ( either a new
facade or from a pool ) only _after_ the request is mapped - probably
before servlet execution. As an additional benefit the FacadeManager
will disapear and the separation core/facade will be much better.


I'm still spending the evenings  working on the 3.3 performance ( the
change will be big, but I can't see any way of spliting it ), I'll work
on facade after I'm done with the currrent change.

Costin




Mime
View raw message