tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <>
Subject Re: [Security Audit] CoyoteRequest.doGetSession
Date Wed, 16 Oct 2002 14:13:36 GMT
The doPrivileged() for getting a session is in the CoyoteRequest public getSession()
method which is implemented as required by ServletRequest and HttpServletRequest.

The getSession() can be called by a web application.  The doPrivileged() block would
be required to exist either where it currently is or in each individual implementation
of Manager/Store.  If it wasn't there getting a session would fail if the web app
were not granted the necessary permissions.  Permissions I would not want to grant to it.

IMHO it is best left where it is.  If someone were to implement a custom Manager/Store
then the permissions allowed at that point would be the intersection of those permissions
granted to catalina and those granted to the codeBase for the custom Manager/Store.
So you still have your fine grained control of security policies.
That is how it should work.

-1 for changing/removing the doPrivileged()



Jean-Francois Arcand wrote:
> Hi,
> In o.a.c.tomcat5.CoyoteRequest (same in tomcat4), there is a doPrivilege 
> block that grant the doGetSession method. This method delegate the logic 
> to the o.a.c.Manager instance. A Manager can (but it's not required) 
> uses a o.a.c.Store object . The Manager and the Store object may need 
> special privileges when handling session persistance (see 
> o.a.c.session.FileStore for an example).
> I would recommend we remove the doPrivilege block from CoyoteRequest and 
> delegate the doPrivilege call to the Manager (or the Store) instance. 
> That will allow better fine grained security check. Only the required 
> operations should be granted (right now every Manager is granted -> so 
> every Store instance!). As an example, o.a.c.session.FileStore does not 
> contains any security checks in its current implementation, and IMO, it 
> should.
> The contract between the Manager and CoyoteRequest will have to be 
> documented somewhere since Manager written for Tomcat 4 may no longer 
> works. The catalina.policy file can then be used to give special 
> privileges to ManagerX, but not to ManagerY (same for Store instance or 
> whatever objects is used), based on codebase.
> Any recommendations/objections to the modification?
> Thanks,
> -- Jeanfrancois
> P.S Right now, if you run Tomcat with the default Security manager, the 
> doPrivilege block is useless. For performance reason, we should avoid 
> this call.
> -- 
> To unsubscribe, e-mail:   
> <>
> For additional commands, e-mail: 
> <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message