tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@mail.more.net>
Subject Re: cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
Date Tue, 01 Oct 2002 15:49:38 GMT
Right, there are no security sensitive classes in Tomcat 4 o.a.c.util.

I advocated at one time identifying which packages within o.a.c contain
security sensitive code and which don't.  And documenting this so that
a security sensitive class doesn't get added to a package considered public.

For starters, o.a.c.util could be identified as a package where no
security sensitive classes can be located.

And with JSR 115 incorporating JAAS into J2EE, perhaps it would be best
to have a o.a.c.security package.

Regards,

Glenn

Jean-Francois Arcand wrote:
> Hi Glenn,
> 
> your last addition seems, IMO, to open a security isssue with classes 
> located under the o.a.c.util directory. Actually, maybe not for Tomcat 
> 4.1, but for 5.0, I have created a class called SecurityAudit.java that 
> contains some security check. If we port your latest changes, this class 
> will be exposed to malicious uses. Also, Is there a reason why we are 
> giving the "
> 
> defineClassInPackage"?
> 
> 
> I think two solutions are available (1) move sensitive classes to 
> another package (2) create a "public" package where we want to give 
> access to some internal class.
> 
> What is your recommendation?
> 
> Thanks,
> 
> -- Jeanfrancois
> 
> 
> 
> glenn@apache.org wrote:
> 
>> glenn       2002/09/30 12:59:47
>>
>>  Modified:    catalina/src/conf catalina.policy
>>  Log:
>>  Allow defineClassInPackage for util due to Request Parametermap needs
>>  
>>  Revision  Changes    Path
>>  1.28      +3 -1      
>> jakarta-tomcat-4.0/catalina/src/conf/catalina.policy
>>  
>>  Index: catalina.policy
>>  ===================================================================
>>  RCS file: 
>> /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v
>>  retrieving revision 1.27
>>  retrieving revision 1.28
>>  diff -u -r1.27 -r1.28
>>  --- catalina.policy    8 Sep 2002 18:04:02 -0000    1.27
>>  +++ catalina.policy    30 Sep 2002 19:59:47 -0000    1.28
>>  @@ -121,6 +121,8 @@
>>     // Required for sevlets and JSP's
>>     permission java.lang.RuntimePermission 
>> "accessClassInPackage.org.apache.catalina.util";      permission 
>> java.lang.RuntimePermission 
>> "accessClassInPackage.org.apache.catalina.util.*";
>>  +  permission java.lang.RuntimePermission 
>> "defineClassInPackage.org.apache.catalina.util";
>>  +  permission java.lang.RuntimePermission 
>> "defineClassInPackage.org.apache.catalina.util.*";
>>       // Required for running servlets generated by JSPC
>>     permission java.lang.RuntimePermission 
>> "accessClassInPackage.org.apache.jasper.runtime";
>>  
>>  
>>  
>>
>> -- 
>> To unsubscribe, e-mail:   
>> <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
>> For additional commands, e-mail: 
>> <mailto:tomcat-dev-help@jakarta.apache.org>
>>
>>
>>  
>>
> 
> 
> -- 
> To unsubscribe, e-mail:   
> <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: 
> <mailto:tomcat-dev-help@jakarta.apache.org>


-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message