tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: [Bug 389] New - Security Issue? Important attributes exposed by ServletContext can be modified BugRat Report#682
Date Tue, 13 Mar 2001 01:29:58 GMT

On Mon, 12 Mar 2001, Glenn Nielsen wrote:

> The latest version of Tomcat 4.0 from CVS supports the Java SecurityManager.
> Tomcat 4.0 Beta 1 did not.
> The Java SecurityManager can restrict access to those properties and do a 
> great deal more to assist you in running a secure application server.
> I wouldn't consider what you reported as a bug now that the Java SecurityManager
> has been implemented.

I think the issue is still real (assuming that you don't have total
control over the code installed in your web app), because context
attributes are mutable.  These attributes were originally introduced to
avoid code dependencies between Jasper and the servlet container it runs
in.  Now that we have a JNDI context, I think that might be a more
appropriate mechanism, because the context itself is immutable.

> BTW, if you are attending ApacheCon 2001 Apr 4-6, I will be presenting a session on
> "Tomcat Server and Application Security" that goes into great detail on
> how the Java SecurityManager works and using it with Tomcat.

Gee, maybe I'd better come and learn :-).  I will definitely be there,
because I'm presenting two other Tomcat related sessions and one on web
application architectures:
- TH13 "The Tomcat Servlet Container" (will cover 4.0 architecture)
- TH09 "Migrating Apache JServ Applications to Tomcat"
- W16 "Recommendations for Java-Based Web Application Architectures"
> Regards,
> Glenn


To unsubscribe, e-mail:
For additional commands, email:

View raw message