tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <>
Subject [Security Audit] CoyoteRequest.doGetSession
Date Tue, 15 Oct 2002 21:42:06 GMT

In o.a.c.tomcat5.CoyoteRequest (same in tomcat4), there is a doPrivilege 
block that grant the doGetSession method. This method delegate the logic 
to the o.a.c.Manager instance. A Manager can (but it's not required) 
uses a o.a.c.Store object . The Manager and the Store object may need 
special privileges when handling session persistance (see 
o.a.c.session.FileStore for an example).

I would recommend we remove the doPrivilege block from CoyoteRequest and 
delegate the doPrivilege call to the Manager (or the Store) instance. 
That will allow better fine grained security check. Only the required 
operations should be granted (right now every Manager is granted -> so 
every Store instance!). As an example, o.a.c.session.FileStore does not 
contains any security checks in its current implementation, and IMO, it 

The contract between the Manager and CoyoteRequest will have to be 
documented somewhere since Manager written for Tomcat 4 may no longer 
works. The catalina.policy file can then be used to give special 
privileges to ManagerX, but not to ManagerY (same for Store instance or 
whatever objects is used), based on codebase.

Any recommendations/objections to the modification?


-- Jeanfrancois

P.S Right now, if you run Tomcat with the default Security manager, the 
doPrivilege block is useless. For performance reason, we should avoid 
this call.

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message