Jon Stevens wrote:
>
> on 5/17/01 12:47 PM, "Glenn Nielsen" <[EMAIL PROTECTED]> wrote:
>
> > But now that both Tomcat 3.2 and Tomcat 4 support the Java SecurityManager
> > you can control security at the container level regardless of whether someone
> > is using the CFM servlet, velocity, CoCoon, JSP, etc.
>
> Not true.
>
> <http://jakarta.apache.org/velocity/ymtd/ymtd-hosting.html>
>
> Hashtable strings = new Hashtable();
> int i=0;
> while (true)
> {
> strings.put ("dead"+i, new StringBuffer(999999));
> }
>
> There is no amount of security that will prevent someone from putting that
> into their JSP page other than disabling the ability to put scriptlets into
> things. If you do that, then you are simply where you should have been in
> the first place...using Velocity.
>
Yes, but using velocity templates limits a great deal what customers
can do when compared to a general purpose servlet container where
web applications can be deployed. There is a great deal more to
security than just preventing a 'trusted user' who can publish content
from doing something stupid. No where in your YMTD document do I see
anything about security, just your reference above to a trusted user
DoS. Heck, if one of my customers wants to use Velocity, they can do
so if it can be deployed as a web application, but it will have to
run within the security policies we set for the Tomcat Java SecurityManager. ;-)
Regards,
Glenn
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
