tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geir Magnusson Jr." <>
Subject Re: Jasper performance
Date Fri, 18 May 2001 11:51:10 GMT
Glenn Nielsen wrote:
> Jon Stevens wrote:
> > There is no amount of security that will prevent someone from putting that
> > into their JSP page other than disabling the ability to put scriptlets into
> > things. If you do that, then you are simply where you should have been in
> > the first place...using Velocity.
> >
> Yes, but using velocity templates limits a great deal what customers
> can do when compared to a general purpose servlet container where
> web applications can be deployed. 

Those aren't comparable, 'Velocity templates' and 'general purpose
servlet container', because Velocity is just a template tool - you still
need the servlet and servlet container. 

I am sure you understand this, but wanted to keep things clear for
others that get confused when we say 'template engine' when talking
about Velocity - it's just a 'toolkit' you can use in your webapps in
your favorite servlet environment (Tomcat, of course... )

> There is a great deal more to
> security than just preventing a 'trusted user' who can publish content
> from doing something stupid.  No where in your YMTD document do I see
> anything about security, just your reference above to a trusted user
> DoS.  Heck, if one of my customers wants to use Velocity, they can do
> so if it can be deployed as a web application, but it will have to
> run within the security policies we set for the Tomcat Java SecurityManager. ;-)

Maybe it wasn't clear to you then - yes, it can be deployed in a web
application just like any other bit of java code.

I encourage you to take a few minutes and just look it over.  We offer
decent documentation and examples, both for web use and non-web use. 
While I am pretty certain you aren't going to foreswear JSP, it's
certainly an interesting alternative, and has plenty of non-web uses as
well for code, text, SQL generation, static HTML page generation, etc...


Geir Magnusson Jr.                 
System and Software Consulting
Developing for the web?  See
"still climbing up to the shoulders..."

View raw message