tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Juha Laiho <Juha.La...@iki.fi>
Subject Re: Disable java code execution <%blabla%> in jsp, but permits tags
Date Wed, 10 Sep 2008 21:18:39 GMT
kazukin6 wrote:
> Is it possible to disable all java code execution within jsp page (by
> security manager or something)
> but allow custom tags to be executed?
> 
> The problem is that the users can change jsp files, and due to security
> reasons we can allow them to use only tags 

Unfortunately I don't have an idea on how to prevent Java snippets
in JSPs, but have you considered whether using Java security manager
would be enough to defend you against the estimated threats?
-- 
..Juha

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message