DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12101.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12101
SecurityManager + removal of sample webapps = unprivileged getParameter()!
[EMAIL PROTECTED] changed:
What|Removed |Added
Priority|Other |High
--- Additional Comments From [EMAIL PROTECTED] 2002-08-29 01:41 ---
Ok, I think I tracked the real issue down. Disregard my previous
hypotheses. :)
The problem occurs when the SecurityManager is used with the default policy.
If a request comes in, if the request processing path does NOT flow through a
class file that has all permissions granted (e.g., DefaultServlet Catalina-
internal servlet) and there is no call made to request.getParameterNames()
or request.getParameter() from code with all permissions, BEFORE any other
[user/untrusted] servlet with fewer permissions granted, the following security
exception will occur:
StandardClassLoader: Security Violation, attempt to use Restricted Class:
org.apache.catalina.util.LocalStrings
Security Violation, attempt to use Restricted Class:
org.apache.catalina.util.LocalStrings_en
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util)
Refer to the complete stack trace in the Bugzilla description for more details.
I have confirmed that this bug also exists in Tomcat 4.0.1 -- likely even
earlier. This sounds like a fairly high priority bug. Can someone take a look?
Thanks.
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]