tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject RE: WEB-INF classloading and on the fly compilation
Date Sat, 16 Sep 2000 19:47:53 GMT
> > My goal is to implement a server where webapps can be deployed in real
> > sandboxes, like applets in browsers. If Cocoon and other web-development
> > environments will go this way ( putting too much complexity
> > inside the web app and expecting it to work ) than the whole security will
> > be useless - you'll have a sandbox but nothing will be able to
> > run inside.
> *Your* goal.

I certainly hope there are other people interested in that. 

> For others - like me - sandboxing is not that important. Sandboxing might be
> very important for an ISP. However, these days, more and more "private" web
> servers exist.

More and more insecure web servers exist too. 

> In my company, we control all the code that is placed in the Web Server. 

Well, you may think so, and I hope you are right. I would be happy to
accept all your flames and "narrow-minded" if I can make you have just a
little doubt about this statement. 

Do you control your own code ( from a security point of view ) ? Do you
control the code ( including jsp pages, etc) written by all programmers
that work for your organization? And all the code that is included in
various APIs and packges you use ?

> On
> the other hand, the applications that we have to develop are becoming more
> and more complex.

And you still think you are controlling it? 

> Then, versatility and fast problem solving becomes much more important than
> sandboxing.

I hope you're not running an e-commerce site :-)

> Prioritizing sandboxing is very nice for a campus server used by students:
> many users are trying to hack the thing and they do not have great
> complexity demands.
> Are you giving any priority to commercial users needs?

I certainly hope so - I spent some time running servers that many users
tryed to hack, and I have an ideea about how many commercial sites are
run. And indeed, there is a huge difference. 

Do you believe that sandbox is required more for "campus" servers ( where
a traditional experience exists with hacking and admins are well aware of
the risks, and more important - the possible damage is minor) 

And on commercial sites ( where most effort goes into creating bloated
sites and delivering on short schedules, security policies don't exist or
are ignored and a break in means lots of $$$ losts ) it's less important ?

What's your security policy ? How much experience do you have on detecting
break-ins ? How much % time do you spend reviewing the code ( that is more
and more complex ) for security ?
( do you use XSL ? Are you aware that in a stylesheet you can have embeded
scripts - and you can call exec("rm -rf ~") from inside ? Or 
"exec( mail hacker < creditcard_numbers )" ? ) Same for jsps btw.

> > I am also interested in performance - and I don't like the idea of running
> > 3-4 compiler instances at the same time ( or even 1 ! ) on a production
> > site. In most cases this can be avoided by compiling at deployment time.
> "In most cases" is the key expression.
> Well, in most cases you can build a site with static HTML... so, let's kill
> both Servlet and JSP technologies too, right?

Using them in a secure way isn't the same as killing them. In fact
servlets and Jsps are the only technologies today that may provide this. 
( but that's changing, with less and less interest in security and
performance and more and more interest in feature bloat ) 

> Is Tomcat supposed to be ONLY a production server? Without being good for
> development???

I certainly hope tomcat will not be the only production server interested
in security and performance. 

And so far we put a lot of effort into making it good for development. 

> Besides, I do not have a problem with most "compile on first demand"
> performance costs. Many other people do not have problems with that too.
>  - JSP use "compile on first demand";

and it does that without including a compiler in the webapp. And it have (
thanks to Danno ) a simpe tool to allow you to precompile the jsps ( and
if you do a simple benchmark you'll notice the difference - and not only
on the first request). 

That means it is possible to satisfy both sides.  

> Do you also disaprove Hot Spot?

I will quote Stefano - sometimes it's better to delete the mail before
sending it and start again. I did that with this mail - 2 times :-)

> Well, I wonder if it is not the other way around:
>   I understand your concerns (even if they are not mine too), but do you
>   understand mine?

If I'm not too narrow-minded for that :-).


View raw message