Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 42838 invoked from network); 1 Jun 2004 22:09:00 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 1 Jun 2004 22:09:00 -0000 Received: (qmail 55471 invoked by uid 500); 1 Jun 2004 22:09:09 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 55387 invoked by uid 500); 1 Jun 2004 22:09:08 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 55372 invoked by uid 99); 1 Jun 2004 22:09:08 -0000 Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194) by apache.org (qpsmtpd/0.27.1) with SMTP; Tue, 01 Jun 2004 15:09:08 -0700 Received: (qmail 42569 invoked from network); 1 Jun 2004 22:08:47 -0000 Received: from localhost.hyperreal.org (HELO apache.org) (127.0.0.1) by localhost.hyperreal.org with SMTP; 1 Jun 2004 22:08:47 -0000 Message-ID: <40BCFE67.70302@apache.org> Date: Wed, 02 Jun 2004 00:08:39 +0200 From: Remy Maucherat User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7b) Gecko/20040421 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: session facade not used for event References: <070d01c44810$4f4a6a10$dd01dc0a@Corp.LaQuinta.com> <40BCE0D7.6000305@apache.org> <079401c44822$3e89e950$dd01dc0a@Corp.LaQuinta.com> In-Reply-To: <079401c44822$3e89e950$dd01dc0a@Corp.LaQuinta.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Rating: localhost.hyperreal.org 1.6.2 0/1000/N X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Filip Hanik - Dev wrote: >>>Facading is likely worthless for sessions, > > you think so, you don't think session.setPrincipal is a security issue? Missed that one ;) As Jean-Fran�ois said, the security manager will avoid the problem. I think it won't hurt replacing the "this"s with "getSession()"s in the event constructors, though. R�my --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org