tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Problems with Tomcat when trying to get Jackrabbit installed
Date Thu, 20 Aug 2009 21:22:49 GMT
kbar wrote:
> ... as disabling the security I guess is not such a great idea once
> the site goes into production.
> 
Do not take my word for this, as I am far from the Java expert.
As far as I can understand it however, the Java security manager, in the 
case of Tomcat, is there mainly to protect you from yourself, unless you 
are allowing other people to upload webapps to your server.
When enabled, the JVM establishes kind of a "sandbox" around your 
classes, the basic idea being that everything that is not explicitly 
allowed, is forbidden.
When it is in force, you have to give your webapp classes explicit 
permissions to access the filesystem, the network, the system properties 
etc..
It does not have much to do with the protection of your server against 
unauthorised Internet access by miscreants.
Unless such miscreants are able to load their own webapps in your 
server, in which case I would presume they might also be smart enough to 
modify your catalina.policy files anyway, and give their classes all the 
permissions they want.

I also presume that running with the security manager enabled, has a 
cost in terms of efficiency.  So your webapps will probably run faster 
without it.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message