tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hans Bergsten <>
Subject Re: cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper
Date Wed, 22 Jan 2003 19:44:38 GMT
Remy Maucherat wrote:
> Jeanfrancois Arcand wrote:
>> The only problem I see by removing the package org.apache.jsp is that 
>> when Tomcat run under the security manager, it is no longer possible 
>> to protect an application from package insertion/access (dangerous).
>> It is  still possible to protect the application by manually adding 
>> the new package name under the conf/ file. This will 
>> have to be documented somewhere.
> That's a good point, also. (oh, no, I'm back in the middle of a JSPC 
> induced mess ;-) )
> Ok, I can re-revert my patch ;-)

Please don't. The way it's pathced now, it works as in TC 4.0.4. Also
note that this is for precompiled JSP pages only. If there are
security concerns (I know I'm ignorant), let's look at both JspServlet
and JSPC and find a solution that works for both at the same time.

Hans Bergsten                                <>
Gefion Software                       <>
Author of O'Reilly's "JavaServer Pages", covering JSP 1.2 and JSTL 1.0
Details at                                    <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message