[xwiki-notifications] [Issue] Commented: (XWIKI-348) XWiki does not work with java security on

Mon, 24 Dec 2007 03:16:43 -0800 

    [ 
http://jira.xwiki.org/jira/browse/XWIKI-348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_20267
 ] 

Sergiu Dumitriu commented on XWIKI-348:
---------------------------------------

With the new component-based architecture, Plexus fails to initialize with a 
"java.lang.RuntimePermission createClassLoader" permission exception.

> XWiki does not work with java security on
> -----------------------------------------
>
>                 Key: XWIKI-348
>                 URL: http://jira.xwiki.org/jira/browse/XWIKI-348
>             Project: XWiki Platform
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 0.9.1252
>         Environment: Debian, tomcat -secure
>            Reporter: Sergiu Dumitriu
>         Assigned To: Sergiu Dumitriu
>            Priority: Critical
>             Fix For: Future
>
>
> Servlets can work in two security models: the standard servlet model and the 
> standard java model.
> The standard servlet model is on by default on most distributions and web 
> servers. In this model, a webapp cannot exit the directory specified by the 
> docBase attribute of the Context element, but no other restrictions apply, 
> meaning that a servelt or jsp can call System.exit() and shut down the whole 
> server. In this model, / in a path means the directory or .war file of the 
> webapp.
> The java security model is the one active for applets and WebStart 
> applications. Such an application can access anything as long as there is a 
> policy that gives the proper rights. This model can be selected in tomcat by 
> starting it with "tomcat start -security". In this model, / means the system 
> root.
> The problem is that all paths in XWiki are specified with a leading /. So, 
> every file is searched on the root filesystem instead of the XWiki directory.
> This can be fixed by removing the leading / in all paths. The servlet 
> specification says that all relative paths start from the docBase, so nothing 
> else should be changed.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.xwiki.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
notifications mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/notifications

Reply via email to