tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jfarc...@apache.org>
Subject [Security Audit] Package protection...
Date Tue, 15 Oct 2002 19:03:39 GMT
HI,

is somebody aware why package org.apache.coyote.* and 
org.apache.tomcat.* are not protected againts package insertion/access 
in Catalina.java. What is the reasons? Actually, classes are not 
available to a Webapp (the Classloader is taking care of it) but when 
Tomcat is embedded in an app container (or when there is a special 
Classloader), those classes are available :-(

Actually, we only protect the following package:

        if( System.getSecurityManager() != null ) {
            String access = Security.getProperty("package.access");
            if( access != null && access.length() > 0 )
                access += ",";
            else
                access = "sun.,";
            Security.setProperty("package.access",
                access + "org.apache.catalina.,org.apache.jasper.");
            String definition = Security.getProperty("package.definition");
            if( definition != null && definition.length() > 0 )
                definition += ",";
            else
                definition = "sun.,";
            Security.setProperty("package.definition",
                // FIX ME package "javax." was removed to prevent HotSpot
                // fatal internal errors
                definition + 
"java.,org.apache.catalina.,org.apache.jasper.");
        }

Thanks,

-- Jeanfrancois


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message