I don't know if I agree with this should part - running a
SecurityManager is another layer of overhead. We specifically choose not to
run with a security manager because:
1. We control or trust all of the code on our systems (if we didn't
trust it, we wouldn't use it) and if any team member used System.exit they
would be beaten with a wet noodle
2. We generally need all of the performance we can get
Randy
> -----Original Message-----
> From: Luba Powell [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 13, 2001 7:22 PM
> To: [EMAIL PROTECTED]; David Wall
> Subject: Re: Tomcat as Service Crashing.
>
>
> What you say - is all correct. But some basic security
> policy protecting
> the integrity of the JVM could be embedded as part of tomcat
> distribution.
> Because how many questions are we getting on the "system" - JVM
> unexpectedly crash. And in real life many companies *should*
> but really *do* have one system which is dev, test and prod.
> Especially now with all the downsizing.
> Anyways, this is nothing against tomcat. It is an excellent system.
> R/L
>
>
>
> ----- Original Message -----
> From: "David Wall" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, June 13, 2001 7:15 PM
> Subject: Re: Tomcat as Service Crashing.
>
>
> > > Yes, o'course in production. In my mind - there is no
> place for this
> > > method in HttpServlet - it should throw the Exception. OK for
> > > GenericServlet, but this is Javasoft problem.
> >
> > Maybe I don't understand, but I think it should be there on
> development/test
> > systems as well since you clearly want to capture such
> coding issues as
> soon
> > as possible. HttpServlet doesn't have an exit method.
> That's System, so
> > another class cannot throw an exception.
> >
> > Java has a clear solution to this which is the base of
> their java security
> > architecture. It includes running JVMs with a security
> manager (the only
> > way to go imho). When done, System.exit() won't be
> alllowed unless you
> > grant that permission to the code. We don't allow code to call
> System.exit,
> > but we do allow shutdown hooks so that our code will know
> when we're being
> > shutdown using this basic policy statement (in our case,
> the app prefix is
> > 'ssd'):
> >
> > grant codeBase "file:${tomcat.home}/webapps/ssd/-" {
> > ...
> > permission java.lang.RuntimePermission "shutdownHooks";
> > ...
> > };
> >
> > David
> >
>
