tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony Bowesman <...@teamware.com>
Subject Re: JSP and SecurityManager [was RE: 3.2.2. When's it shipping?]
Date Mon, 21 May 2001 05:49:06 GMT
Marc Saegesser wrote:
> 
> The null check is simple enough and its already been tested in 3.3
> so I feel comfortable making the change without a beta.  I'll commit
> the change today.

Great, thanks!

> Another question regarding using the security manager and JSP.  If
> I use the default tomcat.policy file I can't access any JSP pages
> because I get an access denied expcetion getting the line.separator 
> property.  If I add
> 
>    permission java.util.PropertyPermission "line.separator", "read";
>    permission java.util.PropertyPermission "file.separator", "read";
> 
> to tomcat.policy the pages are served correctly.  Glenn, is there
> any problem adding these two lines to the default policy?  Am I
> missing something else?

I've tested this but it ONLY works if you add these permissions with no
codeBase.  If you add them under the specified codeBase

grant codeBase "file:${tomcat.home}/-"

They still cause the access exception.  I have even tried the following
codeBases 

grant codeBase "file:c:/-"
grant codeBase "file:h:/-"

with still the same exception.  Why doesn't it work??

Rgds
Antony

> 
> > -----Original Message-----
> > From: Antony Bowesman [mailto:adb@teamware.com]
> > Sent: Friday, May 18, 2001 1:50 AM
> > To: tomcat-dev@jakarta.apache.org
> > Subject: Re: 3.2.2. When's it shipping?
> >
> >
> > Marc Saegesser wrote:
> > >
> > > I bloody hope so.
> > >
> > > Here's the plan.  Beta 5 was released on Friday, May 11.  This beta
> > > cycle is planned for one week.  Unless someone reports a show
> > > stopping bug, and so far I haven't seen one, on Friday, May 18th.
> > > I'll call release vote on tomcat-dev.  This vote lasts for one week
> > > and every committer gets to vote. A public release vote is open for
> > > one week.  So, the best case right now is May 28th.
> >
> > Not sure if this would be a showstopper however, there is a bug in
> > jasper/runtime/JspFactoryImpl.java which causes a NullPointerException.
> > Fixed in 3.3 but not in 3.2.2
> >
> > I'm relatively new to tomcat so am not sure of the bug reporting process
> > but I sent report of a bug to this list a couple of days ago.
> >
> > Just tested it with b5 - bug still exists.
> >
> > tomcat run -security
> >
> > gives nullPointerException in jasper/runtime/JspFactoryImpl.java
> >
> > due to no check for pageContext == null in releasePageContext
> >
> > This is fixed in 3.3
> >
> > if (pc == null) return
> >
> > Rgds
> > Antony
> >
> > >
> > > > -----Original Message-----
> > > > From: Dave Oxley [mailto:tomcat_dev@hotmail.com]
> > > > Sent: Thursday, May 17, 2001 12:54 PM
> > > > To: tomcat-dev@jakarta.apache.org
> > > > Subject: 3.2.2. When's it shipping?
> > > >
> > > >
> > > > What is the current state of 3.2.2 development? Is it going to
> > > > ship any time
> > > > soon?
> > > >
> > > > Dave.
> > > > Dave@JungleMoss.com
> > > >

-- 
Antony Bowesman
Teamware Group 
adb@teamware.com
tel: +358 9 5128 2562
fax: +358 9 5128 2705

Mime
View raw message