Re: Customized Features of JSP

Thu, 25 Mar 1999 22:31:45 -0500 

Not so!  Two reasons.

a. "Arbitrary java code" can still be run under a server policy that
   does not allow the arbitrary code to do arbitrary things.  Refer to
   security features in Java if you want further information on this.
   So for example, a featureful server could be configured to not let
   JSPs running out of "~user/*" to do arbitrary things.

b. You have to assume that the JSP server is not fighting against
   malicious JSPs.  Your server is as secure as your file system. If a
   hacker can hack into your doc root and place a malicious jsp there,
   they can do a lot better, oh i mean, worse.

-abhishek



Dirk Bracklow wrote:
> points to powerful. For instance an HTML author has the possibility to
> include scripts written in Java. The scripts can do "anything". This
> could be an security gap, because a JSP-generated servlet runs with
> "shadow"-beans (proxies of the real application) and the real
> application on the same JVM.
> I belief an untrusted HTML author can write a JSP file which attacks the
> application (Of course the hacker needs some more information about the
> application.).
> I would like to have the possibility to customize the "features" of the
> JSP, for instance to prohibit scripting-centric tags or server side
> includes. Do anyone know a implemention of JSP with such options?
>
> I would be grateful for any information.
>
> Regards,
> Dirk Bracklow
> --
> -----------------------------------------------------------------------------
> ---
>
> Dirk Bracklow    S.E.S.A. GmbH  Germany (http://www.sesa.de)
> mailto:[EMAIL PROTECTED]
> -----------------------------------------------------------------------------
> ---
>
> ===========================================================================
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
> of the message "signoff JSP-INTEREST".  For general help, send email to
> [EMAIL PROTECTED] and include in the body of the message "help".

===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST".  For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".

Reply via email to