tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jfarc...@apache.org>
Subject Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session PersistentManagerBase.java StandardManager.java StandardSession.java
Date Fri, 19 Nov 2004 15:00:04 GMT


Remy Maucherat wrote:
> jfarcand@apache.org wrote:
> 
>> jfarcand    2004/11/18 14:13:36
>>
>>  Modified:    catalina/src/share/org/apache/catalina/core Tag: TOMCAT_5_0
>>                        ApplicationContextFacade.java
>>                        ApplicationDispatcher.java
>>                        ApplicationFilterChain.java StandardWrapper.java
>>               catalina/src/share/org/apache/catalina/security Tag:
>>                        TOMCAT_5_0 SecurityUtil.java
>>               catalina/src/share/org/apache/catalina/session Tag:
>>                        TOMCAT_5_0 PersistentManagerBase.java
>>                        StandardManager.java StandardSession.java
>>  Log:
>>  When the package protection is not used, do not create the 
>> doPrivileged objects so we don't suffer the performance hit (15% 
>> faster with trade2 and this change). Also fixed a memory leak when 
>> security manager is turned on.
>>
> Fixing leaks is good :)
> 
> I have a question:
> Can it ever happen that package access is disabled ? Tomcat is probably 
> not secure without those checks. So what is the purpose of the change 
> exactly ?

Actually, my next steps is to allows empty field in catalina.properties, 
which will disable the mechanism (next commit :-)). Right now you can 
only disable the mechanism by removing the catalina.properties or if you 
use the Embedded interfance.

By default I still want to keep Tomcat as secure as possible, but leave 
the door open for disabling the mechanism. As an example, when Tomcat 
gets benchmarked against other unsecure container with security turned 
on, people will think Tomcat is slower, which is not right.

-- Jeanfrancois




> 
> Rémy
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message