----- Original Message -----
From: "Jeanfrancois Arcand" <[EMAIL PROTECTED]>
To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, January 06, 2004 7:40 AM
Subject: Re: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security
SecurityClassLoad.java
>
>
> [EMAIL PROTECTED] wrote:
>
> >billbarker 2004/01/05 20:27:34
> >
> > Modified: catalina/src/share/org/apache/catalina/security
> > SecurityClassLoad.java
> > Log:
> > Adding classes for Coyote-Jk.
> >
> > This addresses Bug #25819.
> >
> > Reported By: Dario Bonino [EMAIL PROTECTED]
> >
> > Revision Changes Path
> > 1.12 +13 -4
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/Secu
rityClassLoad.java
> >
> > Index: SecurityClassLoad.java
> > ===================================================================
> > RCS file:
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/sec
urity/SecurityClassLoad.java,v
> > retrieving revision 1.11
> > retrieving revision 1.12
> > diff -u -r1.11 -r1.12
> > --- SecurityClassLoad.java 31 Oct 2003 01:30:01 -0000 1.11
> > +++ SecurityClassLoad.java 6 Jan 2004 04:27:34 -0000 1.12
> > @@ -90,6 +90,7 @@
> > loadJavaxPackage(loader);
> > loadCoyotePackage(loader);
> > loadHttp11Package(loader);
> > + loadJkPackage(loader);
> > }
> >
> >
> > @@ -239,6 +240,14 @@
> > loader.loadClass
> > (basePackage +
> > "CoyoteResponse$3");
> > + }
> > +
> > + private final static void loadJkPackage(ClassLoader loader)
> > + throws Exception {
> > + String basePackage = "org.apache.tomcat.util.";
> > + loader.loadClass
> > + (basePackage +
> > + "buff.C2BConverter");
> > }
> >
> > }
> >
> >
> -1. That breaks the way we are implementing security. The role of this
> class is to load security related inner classes. Doing this make the
> class available for all Servlet (that break the package protection
> mechanism). You should add a doPrivileged block within the jk code
> instead and load the inner class here. Also, it is now impossible to
> protect that class using the catalina.properties if you do that.
>
> If you think C2BConverter is secure and should not be protected
> (avaiable to Servlet), add the package to the catalina.policy instead.
>
I'll revert it. C2BC is pretty harmless (it's basically a glorified Writer
:), but it doesn't really need to be in catalina.policy. It just seemed to
be over-kill to create a PA for one "new" statement ;).
> -- Jeanfrancois
>
>
> >
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
This message is intended only for the use of the person(s) listed above as the
intended recipient(s), and may contain information that is PRIVILEGED and
CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or
distribute this message or any attachment. If you received this communication in
error, please notify us immediately by e-mail and then delete all copies of this
message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through the
Internet is not secure. Do not send confidential or sensitive information, such as
social security numbers, account numbers, personal identification numbers and
passwords, to us via ordinary (unencrypted) e-mail.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
