Re: Jasper performance

Thu, 17 May 2001 16:57:22 -0700 

[EMAIL PROTECTED] wrote:
> 
> On Thu, 17 May 2001, Glenn Nielsen wrote:
> 
> > > This is the approach that Tea <http://opensource.go.com/> uses as well as
> > > the general idea behind taglibs. The problem with taglibs is that there is
> > > no restriction on the ability to put Java code in the page. It is part of
> > > the JSP specification to be able to do that. Sure, you can disable it (as
> > > Costin said), but then you are breaking the JSP specification. And I know
> > > how important "standards" are to everyone...
> > >
> >
> > But now that both Tomcat 3.2 and Tomcat 4 support the Java SecurityManager
> > you can control security at the container level regardless of whether someone
> > is using the CFM servlet, velocity, CoCoon, JSP, etc.
> 
> I guess he's refering to DOS attacks ( like a while(true); in java code
> or allocating lots of memory ).

You won't have much of a templating language if you don't allow some
sort of looping.  Kind of hard to restrict that.

To handle both of the above cases it requires monitoring the performance of 
the JVM Tomcat is running in, monitoring Tomcat, and individual servlets/jsp's.  
Then a sysadmin can revoke priviliges for anyone who does something like the 
above intentionally or from ignorance.

It would be nice if self monitoring were built into Tomcat so sysads could
track statistics on performance of the JVM, Tomcat in general, and individual
servlets/JSP's.  Even setting thresholds when automated email notifications
could be done.  Lets give sysadmins the information they need, then they
can take action against problem users.

I still think that using the SecurityManager implementation in Tomcat with a 
well tuned security polciy can provide one of the most secure environments 
available for running web based applications. This is just my opinion,
feel free to try and convince me some other technology is more secure.

Regards,

Glenn

----------------------------------------------------------------------
Glenn Nielsen             [EMAIL PROTECTED] | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

Reply via email to