> I was considering doing a virtual hosting solution
> that allows Apache+JBoss+Tomcat to allow users
> to implement their own webapps. Is there any
> protection from a user putting a "System.exit(0)"
> into their code? Is there a way to prevent this?
>
> Should the virtual hosting features of tomcat
> be used or should there be a separate JVM for
> each JBoss+Tomcat, all under a single Apache?
> Has anyone done this already?
For EJB components it is sufficient to set the <secure> tag in jboss.xml to
true. That will enforce the restrictions of the EJB 1.1 specification,
providing a security manager has been set (uncomment the appropriate line in
jboss.properties to do that). Done. Now, if a bean developer specifies
<secure>false</secure> and you don't want to allow that, we have no
mechanism for this yet. We should probably add a setting "secureonly" to the
ContainerFactory to force security to be on no matter what the jboss.xml
setting says.
I think Tomcat has something similar.
/Rickard
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Problems?: [EMAIL PROTECTED]
