tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeanfrancois Arcand <>
Subject Re: cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper
Date Wed, 22 Jan 2003 20:13:11 GMT

Hans Bergsten wrote:

> Remy Maucherat wrote:
>> Jeanfrancois Arcand wrote:
>>> The only problem I see by removing the package org.apache.jsp is 
>>> that when Tomcat run under the security manager, it is no longer 
>>> possible to protect an application from package insertion/access 
>>> (dangerous).
>>> It is  still possible to protect the application by manually adding 
>>> the new package name under the conf/ file. This 
>>> will have to be documented somewhere.
>> That's a good point, also. (oh, no, I'm back in the middle of a JSPC 
>> induced mess ;-) )
>> Ok, I can re-revert my patch ;-)
> Please don't. The way it's pathced now, it works as in TC 4.0.4. Also
> note that this is for precompiled JSP pages only. If there are
> security concerns (I know I'm ignorant), let's look at both JspServlet
> and JSPC and find a solution that works for both at the same time.

We can support runtime package name addition (when the servlet is 
generated, ask the security manager to protect the package).  So it can 
be optional, i.e. being able to tell jasper to generate servlet using 
org.apache.jsp (something configurable via JMX ;-) ), without or with a 
aaa.bbb.ccc. Then when package generation option is selected, then ask 
the security manager to protect it.. It will be easy to document the 
functionality and that will  improve the security manager protection 
mechanim (by having the choice of protecting or not a package, and by 
having the choice of the package name).

-- Jeanfrancois

> Hans

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message