Hi Juha! Yes, I did, but it's kinda hard for me to estimate all possible threats and the Tomcat's ability to provide the defence
I suppose it should be 1) No thread creation 2) No IO operations 3) No any "direct" System API invokations, only JAVA API -(cause it can lead to undesired consequences), and what about changing some crutial standard java properties, like system encoding? 4) No any "fake" operations to load the processor, like while(true){do something useless} 5) -? 2) and maybe 3) are implementable, I suppose, but I'm not sure about 1) 4) and 5) Juha Laiho wrote: > > kazukin6 wrote: >> Is it possible to disable all java code execution within jsp page (by >> security manager or something) >> but allow custom tags to be executed? >> >> The problem is that the users can change jsp files, and due to security >> reasons we can allow them to use only tags > > Unfortunately I don't have an idea on how to prevent Java snippets > in JSPs, but have you considered whether using Java security manager > would be enough to defend you against the estimated threats? > -- > ..Juha > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19434137.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]