Return-Path: 
 <tomcat-dev-return-52938-apmail-jakarta-tomcat-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org
Received: (qmail 28189 invoked from network); 19 Nov 2004 19:05:42 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 19 Nov 2004 19:05:42 -0000
Received: (qmail 2666 invoked by uid 500); 19 Nov 2004 19:05:32 -0000
Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org
Received: (qmail 2623 invoked by uid 500); 19 Nov 2004 19:05:32 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-dev-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-dev-help@jakarta.apache.org>
List-Post: <mailto:tomcat-dev@jakarta.apache.org>
List-Id: "Tomcat Developers List" <tomcat-dev.jakarta.apache.org>
Reply-To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 2609 invoked by uid 99); 19 Nov 2004 19:05:32 -0000
X-ASF-Spam-Status: No, hits=-10.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194)
  by apache.org (qpsmtpd/0.28) with SMTP; Fri, 19 Nov 2004 11:05:32 -0800
Received: (qmail 28123 invoked from network); 19 Nov 2004 19:05:30 -0000
Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1)
  by 127.0.0.1 with SMTP; 19 Nov 2004 19:05:30 -0000
Message-ID: <419E43F8.7080005@apache.org>
Date: Fri, 19 Nov 2004 20:05:28 +0100
From: Remy Maucherat <remm@apache.org>
User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
Subject: Re: cvs commit:
 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session
 PersistentManagerBase.java StandardManager.java StandardSession.java
References: <20041118221336.56455.qmail@minotaur.apache.org>
 <419D3BAE.9020000@apache.org> <419E0A74.3080109@apache.org>
 <419E2B5F.1090600@apache.org> <419E3581.4030006@apache.org>
In-Reply-To: <419E3581.4030006@apache.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Rating: 127.0.0.1 1.6.2 0/1000/N
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Jean-Francois Arcand wrote:

> It's not useless. Normal permissions are still turned on. It's only 
> the package protection that is disabled. When disabled, Tomcat 5 is as 
> unsecure as Tomcat 4 in term of sniffing/loading classes, but still 
> secure in term of browsing the file system etc.

Possibly. But I don't know what you can do with access to the Tomcat 
internals, and hacking the container is a bad security problem IMO. I 
don't see how you could want half assed security. Oh wait, there's 
Window$, so I guess there are takers ;)

BTW, Tomcat 4 did package protection.

R�my


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org