Right, there are no security sensitive classes in Tomcat 4 o.a.c.util. I advocated at one time identifying which packages within o.a.c contain security sensitive code and which don't. And documenting this so that a security sensitive class doesn't get added to a package considered public.
For starters, o.a.c.util could be identified as a package where no security sensitive classes can be located. And with JSR 115 incorporating JAAS into J2EE, perhaps it would be best to have a o.a.c.security package. Regards, Glenn Jean-Francois Arcand wrote: > Hi Glenn, > > your last addition seems, IMO, to open a security isssue with classes > located under the o.a.c.util directory. Actually, maybe not for Tomcat > 4.1, but for 5.0, I have created a class called SecurityAudit.java that > contains some security check. If we port your latest changes, this class > will be exposed to malicious uses. Also, Is there a reason why we are > giving the " > > defineClassInPackage"? > > > I think two solutions are available (1) move sensitive classes to > another package (2) create a "public" package where we want to give > access to some internal class. > > What is your recommendation? > > Thanks, > > -- Jeanfrancois > > > > [EMAIL PROTECTED] wrote: > >> glenn 2002/09/30 12:59:47 >> >> Modified: catalina/src/conf catalina.policy >> Log: >> Allow defineClassInPackage for util due to Request Parametermap needs >> >> Revision Changes Path >> 1.28 +3 -1 >> jakarta-tomcat-4.0/catalina/src/conf/catalina.policy >> >> Index: catalina.policy >> =================================================================== >> RCS file: >> /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v >> retrieving revision 1.27 >> retrieving revision 1.28 >> diff -u -r1.27 -r1.28 >> --- catalina.policy 8 Sep 2002 18:04:02 -0000 1.27 >> +++ catalina.policy 30 Sep 2002 19:59:47 -0000 1.28 >> @@ -121,6 +121,8 @@ >> // Required for sevlets and JSP's >> permission java.lang.RuntimePermission >> "accessClassInPackage.org.apache.catalina.util"; permission >> java.lang.RuntimePermission >> "accessClassInPackage.org.apache.catalina.util.*"; >> + permission java.lang.RuntimePermission >> "defineClassInPackage.org.apache.catalina.util"; >> + permission java.lang.RuntimePermission >> "defineClassInPackage.org.apache.catalina.util.*"; >> // Required for running servlets generated by JSPC >> permission java.lang.RuntimePermission >> "accessClassInPackage.org.apache.jasper.runtime"; >> >> >> >> >> -- >> To unsubscribe, e-mail: >> <mailto:[EMAIL PROTECTED]> >> For additional commands, e-mail: >> <mailto:[EMAIL PROTECTED]> >> >> >> >> > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> -- ---------------------------------------------------------------------- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder | MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | ---------------------------------------------------------------------- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
