> [EMAIL PROTECTED] wrote: > > - backporting the 'trusted apps having access to catalina internals' from > > 4.1 > > How exactly is the 'trusted apps having access to catalina internals' implemented?
The parent CL is the Catalina CL (instead of being the shared CL). > Recently some of that code in the WebappClassLoader was reverted after I demonstrated > that the Java SecurityManager and a catalina.policy could prevent access to > catalina internals. I also posted a proposal last week recommending some changes > in where the servlet jar files were located to make it easier to write a policy > file and prevent inadvertant granting of AllPermission to servlets in > $CATALINA_HOME/server/lib. IMHO, if the SecurityManager is used, it is the > only thing that would be needed to control security of 'trusted apps'. > At one point Craig and I discussed making use of the Java SecurityManager the > default way to start Tomcat 4. Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
