tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Costin Manolache <cmanola...@yahoo.com>
Subject Re: [Proposal] Having a Tomcat.security file.
Date Wed, 16 Oct 2002 21:16:40 GMT
+1 on the proposal.

However I'm not sure about the change on o.a.t.util, and neither the
other jk packages.

I do agree the package should be sealed to protect package fields
and methods. But I don't think it should be restricted - or at least
it should be possible for webapps to include the package in WEB-INF/lib
and use it as a library. ( i.e. package.access should be true for 
it ).


Costin

Jean-Francois Arcand wrote:

> Hi,
> 
> I've re-factored Catalina.java and CatalinaService.java and merge the
> security code into a single class: o.a.c.security.SecurityConfig. This
> class will manage all the package access/definition security properties.
> 
> Actually, the list of package access/definition are harcoded in that
> class. I would like to propose we move this package list into a
> Tomcat.security file following the J2SE format (see below). This way if
> people needs accesses to a package, they will have the opportunity to do
> it with having to recompile Catalina.
> 
> Righ now, some Watchdog tests are failling because they need accesses to
> o.a.t.util, and yesterday, we have started protecting this package.
> 
> What do you think? I know, that's another config file (I don't like
> having another file). I don't see where we could place that information.
> 
> Thanks,
> 
> -- Jeanfrancois
> 
> #
> # List of comma-separated packages that start with or equal this string
> # will cause a security exception to be thrown when
> # passed to checkPackageAccess unless the
> # corresponding RuntimePermission ("accessClassInPackage."+package) has
> # been granted.
> package.access=sun.
> 
> #
> # List of comma-separated packages that start with or equal this string
> # will cause a security exception to be thrown when
> # passed to checkPackageDefinition unless the
> # corresponding RuntimePermission ("defineClassInPackage."+package) has
> # been granted.
> #
> # by default, no packages are restricted for definition, and none of
> # the class loaders supplied with the JDK call checkPackageDefinition.
> #
> #package.definition=

-- 
Costin



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message