tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Webmaster" <webmas...@cienciapura.com.br>
Subject Tomcat + Hibernate2 + Security Manager
Date Tue, 27 Jan 2004 16:31:25 GMT
Hi all,

I know this is a little bit out of topic, but the general concept is useful for everybody.

I run tomcat with security manager for a dozen users. Recently, people started to use the
hibernate 2 which requires some funky permissions.

I had to put these lines in the 'global' permission to make it work:

grant {

...

  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission java.lang.RuntimePermission "defineCGLIBClassInJavaPackage";

...
}

Note: I DID test using a codebase like:

grant codeBase "file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/-" { 
....

but the classes hibernate creates after reflection stop obeying the security manager.

Are there any security risks on a security setup with those 3 lines for all classes in the
JVM ?

Thanks
Renato.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message