DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12968>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12968 [Possible security hole?] package.access security in Catalina/CatalinaService ------- Additional Comments From [EMAIL PROTECTED] 2002-09-25 17:36 ------- Ouch! Glenn, I was just pointing out that since you take the time to protect the subpackages of org.apache.catalina and org.apache.jasper (and rightfully so), you might as well protect the packages themselves. It just so happens that the classes in each package aren't loadable by webapps because they are loaded by the "server" classloader, which is not part of the delegation path from the webapp classloader. However, if a public class gets introduced directly in org.apache.catalina or org.apache.jasper and is part of bin/bootstrap.jar, in the "common" classloader path, or in the "webapp" classloader path, that class WILL get loaded and an AccessControlException won't get thrown. It's just a suggestion to avoid introducing a security hole. As a side issue, forgive me if I don't keep up with all the protocols of when and where to post what, but perhaps you can look past that for a second and be a bit more THANKFUL of others for trying HELP you with an OPEN source project. Regards. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
