DO NOT REPLY [Bug 10902] New: - "package.access" security check too general for Jasper - precompiled JSPs get package-access violation

Wed, 17 Jul 2002 08:45:08 -0700 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10902>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10902

"package.access" security check too general for Jasper - precompiled JSPs get 
package-access violation

           Summary: "package.access" security check too general for Jasper -
                    precompiled JSPs get package-access violation
           Product: Tomcat 4
           Version: 4.0.4 Final
          Platform: All
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]


Catalina and CatalinaService classes programmatically update 
the "package.access" SecurityManager property (if a SecurityManager is present) 
by adding Tomcat-specific package prefixes to protect access to, 
including "org.apache.jasper.".  This package-prefix is so general for Jasper 
that even precompiled JSPs cannot run with the basic SecurityManager and policy 
for Tomcat without getting a package access security exception.  This should be 
updated to protect only the subset of Jasper packages (if any) that are NOT 
part of the Jasper runtime, so that precompiled JSPs can work seamlessly (as 
standard servlets do) with a Tomcat instance running with the SecurityManager.

A code snippet from Tomcat 4.0.1 follows that shows what gets set, but the same 
problem has been verified to exist in 4.0.4:

        // If a SecurityManager is being used, set properties for
        // checkPackageAccess() and checkPackageDefinition
        if( System.getSecurityManager() != null ) {
            String access = Security.getProperty("package.access");
            if( access != null && access.length() > 0 )
                access += ",";
            else
                access = "sun.,";
            Security.setProperty("package.access",
                access + "org.apache.catalina.,org.apache.jasper.");
            String definition = Security.getProperty("package.definition");
            if( definition != null && definition.length() > 0 )
                definition += ",";
            else
                definition = "sun.,";
            Security.setProperty("package.definition",
                // FIX ME package "javax." was removed to prevent HotSpot
                // fatal internal errors
                definition + "java.,org.apache.catalina.,org.apache.jasper.");
        }

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to