Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Message-ID: <3DB7B72A.9040304@mail.more.net>
Date: Thu, 24 Oct 2002 04:02:34 -0500
From: Glenn Nielsen <glenn@mail.more.net>
Organization: MOREnet
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020909
MIME-Version: 1.0
To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
Subject: Re: Security Check in Classloader.
References: <3DB6F5F8.40802@apache.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Jean-Francois Arcand wrote:
> Hi,
> 
> In StandardClassLoader, starting line 815, the SecurityManager is invoked:
> 
>        // (.5) Permission to access this class when using a SecurityManager
>        if (securityManager != null) {
>            int i = name.lastIndexOf('.');
>            if (i >= 0) {
>                try {
>                    securityManager.checkPackageAccess(name.substring(0,i));
>                } catch (SecurityException se) {
>                    String error = "Security Violation, attempt to use " +
>                        "Restricted Class: " + name;
>                    System.out.println(error);
>                    se.printStackTrace();
>                    log(error);
>                    throw new ClassNotFoundException(error);
>                }
>            }
>        }
> 
> Why are we calling the SecurityManager.checkPackageAccess in 
> StandardClassLoader? Since we give all permissions to 
> org.apache.catalina, I think this call is useless. This call is required 
> when invoked inside WebappClassLoader.
> 

Because a paranoid Tomcat admin like me may not grant AllPermission to catalina
in their security policy.

Regards,

Glenn


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>