Hi Juha!
Yes, I did, but it's kinda hard for me to estimate all possible threats and
the Tomcat's ability to provide the defence
I suppose it should be
1) No thread creation
2) No IO operations
3) No any "direct" System API invokations, only JAVA API -(cause it can lead
to undesired consequences), and what about changing some crutial standard
java properties, like system encoding?
4) No any "fake" operations to load the processor, like while(true){do
something useless}
5) -?
2) and maybe 3) are implementable, I suppose, but I'm not sure about 1) 4)
and 5)
Juha Laiho wrote:
>
> kazukin6 wrote:
>> Is it possible to disable all java code execution within jsp page (by
>> security manager or something)
>> but allow custom tags to be executed?
>>
>> The problem is that the users can change jsp files, and due to security
>> reasons we can allow them to use only tags
>
> Unfortunately I don't have an idea on how to prevent Java snippets
> in JSPs, but have you considered whether using Java security manager
> would be enough to defend you against the estimated threats?
> --
> ..Juha
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
--
View this message in context:
http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19434137.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
