tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hans Bergsten <>
Subject Re: cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper
Date Wed, 22 Jan 2003 20:53:49 GMT
Jeanfrancois Arcand wrote:
> [...]
> We can support runtime package name addition (when the servlet is 
> generated, ask the security manager to protect the package).  So it can 
> be optional, i.e. being able to tell jasper to generate servlet using 
> org.apache.jsp (something configurable via JMX ;-) ), without or with a 
> aaa.bbb.ccc. Then when package generation option is selected, then ask 
> the security manager to protect it.. It will be easy to document the 
> functionality and that will  improve the security manager protection 
> mechanim (by having the choice of protecting or not a package, and by 
> having the choice of the package name).

I admit I'm almost totally ignorant about this, so can you please
explain why I would want to protect the package used for my JSP pages?
Who am I protecting myself against, what type of attack, in what type
of environment? Given that each web app has it's own classloader and
(I assume) is in control over what goes in it's web app structure, I
just don't see the need for this protection. But I may be totally wrong,
so please enlighten me.

Hans Bergsten                                <>
Gefion Software                       <>
Author of O'Reilly's "JavaServer Pages", covering JSP 1.2 and JSTL 1.0
Details at                                    <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message