tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Cassidy (Programmer)" <>
Subject Re: Preventing System.exit(0)
Date Mon, 30 Jul 2001 15:54:22 GMT


Security managers...

Why use a SecurityManager?
The Java SecurityManager is what allows a web browser to run an applet
in its own sandbox to prevent untrusted code from accessing files on the
local system, connecting to a host other than the one the applet was
loaded from, etc.

In the same way the SecurityManager protects you from an untrusted
applet running in your browser, use of a SecurityManager while running
Tomcat can protect your server from trojan servlets, JSP's, JSP beans,
and tag libraries.  Or even inadvertent mistakes.

Imagine if someone who is authorized to publish JSP's on your site
invadvertently included the following in their JSP:

<% System.exit(1); %>



Tim O'Neil wrote:
> At 06:24 AM 7/30/2001, you wrote:
> >Is it possible to configure Tomcat to avoid shutdown
> >in case the jsp page contains the code:
> >
> ><% System.exit(0); %>
> Java SERVER pages are server-side code. Why is having
> a system object issue an exit method an issue for you?
> Do you plan on having your server run black box code?

View raw message