This mailing system is driving me crazy - I write something and I'm
already an hour out of sync.
I think that this is an issue and as it addresses security, I think that
spending just a little time on getting it right at the beginning will
make for a sweet, long lasting recipe.
An example that comes to mind is one entity having access to an
authentication mechanism, such as an api dealing with certificate
serving. If a rogue entity begins to use this mechanism then it can
mimic the Authority. This is not safe.
David Jencks wrote:
>
> On 2001.09.22 12:54:16 -0400 Nick Betteridge wrote:
> >
> > > Also, a question about j2ee deployment. (sorry I've only been looking
> > at
> > > j2ee pfd 3) There are a lot of classpath descriptions in section
> > 8.3.1/2
> > > etc. referring to using manifest classpath entries to figure out what
> > to
> > > include in the application classpath. However, it seems to me that if
> > we
> > > simply include _all_ packages found in the ear in the application
> > > classpath, we will be satisfying this requirement without having to
> > look at
> > > these classpath entries. Is there a problem with this approach? Did I
> > > miss something?
> >
> >
> > What happens when there is a tiered structure within an enterprise, with
> > security restrictions applying to certain domains/departments ...
> > whatever.
> >
> > Surely the only way to manage access to api's is via a
> > classpath/classloaders and security managers, and this is dealt with by
> > the 'packaging' mechanism before passing the ear over to the deployer.
> >
> > Or have I missed something?
>
> I don't know how much either one of us may have missed ;-)
>
> I am not a security expert, and haven't looked at the security aspects of
> j2ee application packaging. However my impression from reading (some of)
> the j2ee specs and (again, some of) the jboss code is that each application
> gets an application classloader, and all classes in that classloader are
> essentially equivalent as far as the classloader is concerned. (presmumable
> not as far as security is concerned, but that's a different question).
>
> So my question is, again, only as far as the application classloader, and
> ignoring security for the moment, can we just include everything in the ear
> that looks like a package containing classes, and not worry about tracing
> the manifest classpath entries inside the ear? Is this spec compliant (I
> think yes) and does it cause problems (I'm asking).
>
> Thanks, I hope I haven't misunderstood what you are saying, if I have
> please clarify.
>
> david jencks
>
> >
> > _______________________________________________
> > Jboss-development mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/jboss-development
> >
> >
>
> _______________________________________________
> Jboss-development mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/jboss-development
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
