tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Costin Manolache <cmanola...@yahoo.com>
Subject Re: [Security Audit] Package protection...
Date Tue, 15 Oct 2002 19:56:10 GMT
IMO sealing is the best protection against insertion, 
and using URLClassLoader ( or making sure all the checks from
URLClassLoader are reproduced ).

I agree, this is a potential risk - as untrusted code may access
package fields. So far I don't see any, but better to be sure.

Costin

Jean-Francois Arcand wrote:

> HI,
> 
> is somebody aware why package org.apache.coyote.* and
> org.apache.tomcat.* are not protected againts package insertion/access
> in Catalina.java. What is the reasons? Actually, classes are not
> available to a Webapp (the Classloader is taking care of it) but when
> Tomcat is embedded in an app container (or when there is a special
> Classloader), those classes are available :-(
> 
> Actually, we only protect the following package:
> 
>         if( System.getSecurityManager() != null ) {
>             String access = Security.getProperty("package.access");
>             if( access != null && access.length() > 0 )
>                 access += ",";
>             else
>                 access = "sun.,";
>             Security.setProperty("package.access",
>                 access + "org.apache.catalina.,org.apache.jasper.");
>             String definition =
>             Security.getProperty("package.definition"); if( definition !=
>             null && definition.length() > 0 )
>                 definition += ",";
>             else
>                 definition = "sun.,";
>             Security.setProperty("package.definition",
>                 // FIX ME package "javax." was removed to prevent HotSpot
>                 // fatal internal errors
>                 definition +
> "java.,org.apache.catalina.,org.apache.jasper.");
>         }
> 
> Thanks,
> 
> -- Jeanfrancois

-- 
Costin



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message