tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Herrmann <>
Subject security
Date Wed, 16 Oct 2002 21:06:54 GMT

Looking into the Tomcat jars, I noticed the package "org.apache.jk"
isn't blocked... so even with the Security Manager running, I think I am
able to get catalina to load "arbitrary classes" like this,

   org.apache.jk.apr.TomcatStarter.mainClasses = new String[]{
"someClass" };

   org.apache.jk.apr.TomcatStarter.main(new String[0]);

So, My question is, should we "block" access to package "org.apache.jk"
from webapps?


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message