On Thu, 17 May 2001, Glenn Nielsen wrote:
> > This is the approach that Tea <http://opensource.go.com/> uses as well as
> > the general idea behind taglibs. The problem with taglibs is that there is
> > no restriction on the ability to put Java code in the page. It is part of
> > the JSP specification to be able to do that. Sure, you can disable it (as
> > Costin said), but then you are breaking the JSP specification. And I know
> > how important "standards" are to everyone...
> >
>
> But now that both Tomcat 3.2 and Tomcat 4 support the Java SecurityManager
> you can control security at the container level regardless of whether someone
> is using the CFM servlet, velocity, CoCoon, JSP, etc.
I guess he's refering to DOS attacks ( like a while(true); in java code
or allocating lots of memory ).
This can be slightly controlled by restricting access to <% %>, not
allowing any servlet nor user code - but only a set of
"instrumented" taglibs.
I'm not sure how many users will host their webapps on sites that do not
support servlets or any user code but only a very restricted templating
system - and certainly that doesn't fit into the standard ( since servlets
will have to be disabled, and only "pure" JSPs and no custom taglib can be
allowed ).
Extending jasper to allow the admin to control what tag extensions are
allowed is possible - and of course tomcat can be hacked to not allow
servlets, libs, webapps - except that it will no longer be tomcat, but a
something that runs only pure JSPs and nothing else.
There are few things to try - like using jpda or special VMs - but this is
very "experimental".
Costin
