[EMAIL PROTECTED] wrote: > > Lexical analysis of file names is not exactly 'flawed' but it > is hard to get right. >
No argument, but getting all the security calls implemented correctly is harder. And I don't think it would really help with the whole WEB-INF thing. That doesn't mean it shouldn't be done, of course, but it does perhaps explain why it isn't done more often. > I take your point that the security stuff is tricky, but for > most servlets one can define the files/directories it may > access pretty easily, > Servlets can access all the files in their webapp, including the ones under WEB-INF. There are no restrictions. If a servlet wants to manually serve WEB-INF/web.xml to a client, that's perfectly fine. > So perhaps containers could have a 'deployment mode' > where the default permissions are very restrictive, > and exceptions are specified in web.xml. > You should take a look at Tomcat 4, especially the file conf/catalina.policy. Also: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/security-manager-howto.html -- Christopher St. John [EMAIL PROTECTED] DistribuTopia http://www.distributopia.com ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
