The "verifier" is enabled via the commandline. It is either on or off.
the VM does other forms of "verification" though. http://java.sun.com/docs/books/vmspec/2nd-edition/html/ConstantPool.doc.html#79383 ... -- Michael On 5/11/06, Jeff Williams <[EMAIL PROTECTED]> wrote:
Stephen de Vries wrote: > With application servers such as Tomcat, WebLogic etc, I think we have a > special case in that they don't run with the verifier enabled - yet they > appear to be safe from type confusion attacks. (If you check the > startup scripts, there's no mention of running with -verify). You're right -- I checked that too. So I think it's just too simple to talk about the verifier being either on or off. It appears to me that the verifier can be enabled for some code and not for other code. I think you're right that this behavior has something to do with the classloader that is used, but I'd really like to understand exactly what the rules are. --Jeff _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
