tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@voyager.apg.more.net>
Subject Re: [Bug 389] New - Security Issue? Important attributes exposed byServletContext can be modified BugRat Report#682
Date Tue, 13 Mar 2001 03:31:07 GMT
"Craig R. McClanahan" wrote:
> 
> On Mon, 12 Mar 2001, Glenn Nielsen wrote:
> 
> > The latest version of Tomcat 4.0 from CVS supports the Java SecurityManager.
> > Tomcat 4.0 Beta 1 did not.
> >
> > The Java SecurityManager can restrict access to those properties and do a
> > great deal more to assist you in running a secure application server.
> >
> > I wouldn't consider what you reported as a bug now that the Java SecurityManager
> > has been implemented.
> >
> 
> I think the issue is still real (assuming that you don't have total
> control over the code installed in your web app), because context
> attributes are mutable.  These attributes were originally introduced to
> avoid code dependencies between Jasper and the servlet container it runs
> in.  Now that we have a JNDI context, I think that might be a more
> appropriate mechanism, because the context itself is immutable.
> 

Sounds like a good idea.  I have been finding JNDI very handy for populating
resources to Tomcat Hosts.

> > BTW, if you are attending ApacheCon 2001 Apr 4-6, I will be presenting a session
on
> > "Tomcat Server and Application Security" that goes into great detail on
> > how the Java SecurityManager works and using it with Tomcat.
> >
> 

Make that:

 - F03 "Tomcat Server and Application Security"

> Gee, maybe I'd better come and learn :-).  I will definitely be there,
> because I'm presenting two other Tomcat related sessions and one on web
> application architectures:
> - TH13 "The Tomcat Servlet Container" (will cover 4.0 architecture)
> - TH09 "Migrating Apache JServ Applications to Tomcat"
> - W16 "Recommendations for Java-Based Web Application Architectures"
> 

Sheesh, I had enough trouble getting 1 presentation ready on time, let alone three!
No wonder you have been relatively inactive on these lists lately.

BTW, did you see my proposal regarding how Tomcat 4.0 should handle
unpacking of war files?  I would like to implement it this week.
Any comments on that?

Regards,

Glenn

----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org


Mime
View raw message