The latest version of Tomcat 4.0 from CVS supports the Java SecurityManager.
Tomcat 4.0 Beta 1 did not.
The Java SecurityManager can restrict access to those properties and do a
great deal more to assist you in running a secure application server.
I wouldn't consider what you reported as a bug now that the Java SecurityManager
has been implemented.
BTW, if you are attending ApacheCon 2001 Apr 4-6, I will be presenting a session on
"Tomcat Server and Application Security" that goes into great detail on
how the Java SecurityManager works and using it with Tomcat.
Regards,
Glenn
[EMAIL PROTECTED] wrote:
>
> http://nagoya.apache.org/bugzilla/show_bug.cgi?id=389
>
> *** shadow/389 Mon Mar 12 13:27:37 2001
> --- shadow/389.tmp.1035 Mon Mar 12 13:27:37 2001
> ***************
> *** 0 ****
> --- 1,22 ----
> + +============================================================================+
> + | Security Issue? Important attributes exposed by ServletContext can be modi |
> + +----------------------------------------------------------------------------+
> + | Bug #: 389 Product: Tomcat 4 |
> + | Status: UNCONFIRMED Version: 4.0 Beta 1 |
> + | Resolution: Platform: All |
> + | Severity: Normal OS/Version: All |
> + | Priority: High Component: Catalina |
> + +----------------------------------------------------------------------------+
> + | Assigned To: [EMAIL PROTECTED] |
> + | Reported By: [EMAIL PROTECTED] |
> + | CC list: Cc: |
> + +----------------------------------------------------------------------------+
> + | URL: |
> + +============================================================================+
> + | DESCRIPTION |
> + Hi:
> +
> + The attributes such as "org.apache.catalina.classloader",
>"org.apache.catalina.jsp_classpath" are exposed through ServletContext and can be
>easily modified. No security violation is generated and anybody with an application
>installed on the web server can modify these variables. Is n't it a security problem
>for Tomcat?
> +
> + Thanks
> + -Ramesh
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
--
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]