Re: Security Check in Classloader.
Jean-Francois Arcand wrote:
Hi,
In StandardClassLoader, starting line 815, the SecurityManager is invoked:
// (.5) Permission to access this class when using a SecurityManager
if (securityManager != null) {
int i = name.lastIndexOf('.');
if (i = 0) {
try {
securityManager.checkPackageAccess(name.substring(0,i));
} catch (SecurityException se) {
String error = Security Violation, attempt to use +
Restricted Class: + name;
System.out.println(error);
se.printStackTrace();
log(error);
throw new ClassNotFoundException(error);
}
}
}
Why are we calling the SecurityManager.checkPackageAccess in
StandardClassLoader? Since we give all permissions to
org.apache.catalina, I think this call is useless. This call is required
when invoked inside WebappClassLoader.
Because a paranoid Tomcat admin like me may not grant AllPermission to catalina
in their security policy.
Regards,
Glenn
--
To unsubscribe, e-mail: mailto:tomcat-dev-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org
Security Check in Classloader.
Hi,
In StandardClassLoader, starting line 815, the SecurityManager is invoked:
// (.5) Permission to access this class when using a SecurityManager
if (securityManager != null) {
int i = name.lastIndexOf('.');
if (i = 0) {
try {
securityManager.checkPackageAccess(name.substring(0,i));
} catch (SecurityException se) {
String error = Security Violation, attempt to use +
Restricted Class: + name;
System.out.println(error);
se.printStackTrace();
log(error);
throw new ClassNotFoundException(error);
}
}
}
Why are we calling the SecurityManager.checkPackageAccess
in StandardClassLoader? Since we give all permissions to
org.apache.catalina, I think this call is useless. This call is required
when invoked inside WebappClassLoader.
Thanks,
-- Jeanfrancois
--
To unsubscribe, e-mail: mailto:tomcat-dev-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org
Re: Security Check in Classloader.
Foget that email. The problem is in front of the computer, not in the
class ;-)
-- Jeanfrancois
Jean-Francois Arcand wrote:
Hi,
In StandardClassLoader, starting line 815, the SecurityManager is
invoked:
// (.5) Permission to access this class when using a
SecurityManager
if (securityManager != null) {
int i = name.lastIndexOf('.');
if (i = 0) {
try {
securityManager.checkPackageAccess(name.substring(0,i));
} catch (SecurityException se) {
String error = Security Violation, attempt to use +
Restricted Class: + name;
System.out.println(error);
se.printStackTrace();
log(error);
throw new ClassNotFoundException(error);
}
}
}
Why are we calling the SecurityManager.checkPackageAccess in
StandardClassLoader? Since we give all permissions to
org.apache.catalina, I think this call is useless. This call is
required when invoked inside WebappClassLoader.
Thanks,
-- Jeanfrancois
--
To unsubscribe, e-mail:
mailto:tomcat-dev-unsubscribe;jakarta.apache.org
For additional commands, e-mail:
mailto:tomcat-dev-help;jakarta.apache.org
--
To unsubscribe, e-mail: mailto:tomcat-dev-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org
