tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeanfrancois Arcand <Jeanfrancois.Arc...@Sun.COM>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityClassLoad.java
Date Tue, 06 Jan 2004 15:40:23 GMT


billbarker@apache.org wrote:

>billbarker    2004/01/05 20:27:34
>
>  Modified:    catalina/src/share/org/apache/catalina/security
>                        SecurityClassLoad.java
>  Log:
>  Adding classes for Coyote-Jk.
>  
>  This addresses Bug #25819.
>  
>  Reported By: Dario Bonino dario.bonino@rgi.it
>  
>  Revision  Changes    Path
>  1.12      +13 -4     jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java
>  
>  Index: SecurityClassLoad.java
>  ===================================================================
>  RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java,v
>  retrieving revision 1.11
>  retrieving revision 1.12
>  diff -u -r1.11 -r1.12
>  --- SecurityClassLoad.java	31 Oct 2003 01:30:01 -0000	1.11
>  +++ SecurityClassLoad.java	6 Jan 2004 04:27:34 -0000	1.12
>  @@ -90,6 +90,7 @@
>           loadJavaxPackage(loader);
>           loadCoyotePackage(loader);        
>           loadHttp11Package(loader);        
>  +        loadJkPackage(loader);
>       }
>       
>       
>  @@ -239,6 +240,14 @@
>           loader.loadClass
>               (basePackage +
>                "CoyoteResponse$3");
>  +    }
>  +
>  +    private final static void loadJkPackage(ClassLoader loader)
>  +        throws Exception {
>  +        String basePackage = "org.apache.tomcat.util.";
>  +        loader.loadClass
>  +            (basePackage +
>  +             "buff.C2BConverter");
>       }
>   
>   }
>  
>
-1. That breaks the way we are implementing security. The role of this 
class is to load security related inner classes. Doing this make the 
class available for all Servlet (that break the package protection 
mechanism). You should add a doPrivileged block within the jk code 
instead and load the inner class here. Also, it is now impossible to 
protect that class using the catalina.properties if you do that.

If you think C2BConverter is secure and should not be protected 
(avaiable to Servlet), add the package to the catalina.policy instead.

-- Jeanfrancois


>  
>  
>  
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message