Glenn Nielsen wrote:
[snip]
>
> Glad to hear you had success using Tomcat with the Java SecurityManager.
> Where I work we have several different installs of Tomcat. All of them
> use a much more restrictive policy file than the default catalina.policy.
> At one point the Tomcat 4 Security Manager docs included an example
> of a more restrictive policy than the default catalina.policy that
> Tomcat 4 is distributed with. If I have time, I will update those docs
> for the Tomcat 4.0.2 release. And perhaps add an example catalina.policy
> to the distribution which is more restrictive. Hmmm, now that the
> framework is there for the admin web application, perhaps an easier
> to understand interface could be added to if for configuring the catalina.policy
> file.
I may have to take a look at these examples. Trying to whittle down
AllPermission by guess work is a daunting task to say the least. ;)
I'll RTFM before I complain too loudly. :)
>
> > All that being said, my patches for disabling the exec directive
> > might still be useful. Since it simply removes the directive from
> > consideration it causes it to be treated as an unknown command
> > rather than a security error. Currently, unknown commands can be
> > ignored with the correct option. In an ideal world, all of the
> > directives would be configurable but that seemed like overkill.
> >
>
> Yes, that might be useful. I just don't want to see Tomcat 4
> littered with alot of 'security' code when security can be enforced
> using the Java SecurityManager and a policy file.
I whole-heartedly agree with that.
-Paul
>
> > Anyway, I'm going to try and setup your proposal here locally
> > and see if I find any problems.
>
> Let me know how it works out.
>
> Thanks,
>
> Glenn
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>