De: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
>Thanks for ordering us around. :-)
>
>I have it on my LONG list of TODO things to look at when I get a
>chance...if someone else who has CVS write who wants to get to it earlier
>than I can, that would be great.
I'm not sure what you mean. If it's about putting at CVS, I suppose that I
still have CVS write access, assuming that it hadn't been cleared because of
not using it for eons (it should) :-)
What I should do is explain it a bit more: This stuff is very basic, but
provides:
1) Essential protection against typical abuses (read/write/delete only
allowed files, connections, etc.)
2) Its own logging: very important, because if the offending servlet catches
all SecurityExceptions then you have no idea that someone is probing your
security. This is not possible if you simply use a JDK1.2 policy file AFAIK,
and logging is extremely important in security.
3) Configurability. You can configure the security manager from JServ, but
you cannot do the same from any servlet. And you are not bound to the
configuration syntax of any particular security manager (I mean that
different Managers could have different config keywords, etc.)
4) Compatible with SecurityManagers that do not implement the interfaces,
regardless of being specified at the configuration file level, or at the
command line.
I have a servlet that tries to do several nasty things (I used it to test
the SecurityManager), maybe I could put it available on the tarball, so
anyone can add his own attempts to fool the security).
I've been looking at JServ (and now at Tomcat) to add more complex
configurability and this seems perfectly possible. The impact on performance
is something to take into account, however, as while the current stuff is
very light, this would not be the case if one puts such refinements.
Essentially, what I've put provides reasonably good protection without any
significant performance penalty.
Carlos
--
----------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html>
Problems?: [EMAIL PROTECTED]
