tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <>
Subject Re: cvs commit: jakarta-tomcat-4.0/catalina/src/conf web.xml
Date Sun, 14 Oct 2001 20:17:16 GMT
Remy Maucherat wrote:
> > Using -security and a properly configured catalina.policy can help protect
> you.
> >
> > But the jar files for these servlets should be relocated outside of the
> > server/lib directory to make it easier to grant a different security
> policy
> > to these servlets from the core of catalina.
> Since the default configuration should be secure, I renamed the two JARs to
> non-JAR files (and added instructions to enable them. I also fixed a problem
> where it was also possible to get around the sandboxing by using the manager
> (which now will only get loaded by a privileged context).
> Remy

Those changes were needed, but I think the above change I proposed is also
needed.  Locating the servlet jar files in the same directory as catalina
makes it to easy for someone to grant to the servlets the same broad permissions
that catalina itself needs.

Moving those servlet jar files into a different directly will make it easier
to configure more restrictive permissions in the catalina.policy file.



Glenn Nielsen    | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |

View raw message