tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jfarc...@apache.org>
Subject Package Protection: which one?
Date Thu, 24 Oct 2002 15:07:09 GMT
Hi,

testing package protection, I have come to the following conclusion:

Packages that we can protect against access
----------------------------------------------
o.a.catalina
o.a.jasper
o.a.jsp
o.a.jk

Packages that we can protect against definition
----------------------------------------------
o.a.catalina
o.a.jasper
o.a.jsp
o.a.jk
o.a.coyote

Package that could be protected, but need to change:
-------------------------------------------------------
o.a.naming
o.a.coyote
o.a.tomcat.util

If we decide to fully protect o.a.coyote, that means that every calls to 
CoyoteRequestFacade and CoyoteResponseFacade will need to runs under a 
doPrivilege blocks (every call that use o.a.tomcat.util). Then 
o.a.tomcat.util could be protected (only if o.a.coyote is).

I made a wrong recommendation last week when I said that o.a.coyote can 
be protected (rule #1 test using the jakarta workspace, not with  your 
local workspace). Testing with basic servlet prove me the contrary (see 
4.1.13 release notes....guilty!). I've committed in both Tomcat 4 and 5 
the proper protection configuration.

I would like to have recommendations based on which package should be 
protected. Based on the list I will audit package that stay unprotected.

Thanks,

-- Jeanfrancois


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message