tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@mail.more.net>
Subject Re: Security Check in Classloader.
Date Thu, 24 Oct 2002 09:02:34 GMT
Jean-Francois Arcand wrote:
> Hi,
> 
> In StandardClassLoader, starting line 815, the SecurityManager is invoked:
> 
>        // (.5) Permission to access this class when using a SecurityManager
>        if (securityManager != null) {
>            int i = name.lastIndexOf('.');
>            if (i >= 0) {
>                try {
>                    securityManager.checkPackageAccess(name.substring(0,i));
>                } catch (SecurityException se) {
>                    String error = "Security Violation, attempt to use " +
>                        "Restricted Class: " + name;
>                    System.out.println(error);
>                    se.printStackTrace();
>                    log(error);
>                    throw new ClassNotFoundException(error);
>                }
>            }
>        }
> 
> Why are we calling the SecurityManager.checkPackageAccess in 
> StandardClassLoader? Since we give all permissions to 
> org.apache.catalina, I think this call is useless. This call is required 
> when invoked inside WebappClassLoader.
> 

Because a paranoid Tomcat admin like me may not grant AllPermission to catalina
in their security policy.

Regards,

Glenn


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message