DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10902>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10902 "package.access" security check too general for Jasper - precompiled JSPs get package-access violation Summary: "package.access" security check too general for Jasper - precompiled JSPs get package-access violation Product: Tomcat 4 Version: 4.0.4 Final Platform: All OS/Version: Other Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Catalina and CatalinaService classes programmatically update the "package.access" SecurityManager property (if a SecurityManager is present) by adding Tomcat-specific package prefixes to protect access to, including "org.apache.jasper.". This package-prefix is so general for Jasper that even precompiled JSPs cannot run with the basic SecurityManager and policy for Tomcat without getting a package access security exception. This should be updated to protect only the subset of Jasper packages (if any) that are NOT part of the Jasper runtime, so that precompiled JSPs can work seamlessly (as standard servlets do) with a Tomcat instance running with the SecurityManager. A code snippet from Tomcat 4.0.1 follows that shows what gets set, but the same problem has been verified to exist in 4.0.4: // If a SecurityManager is being used, set properties for // checkPackageAccess() and checkPackageDefinition if( System.getSecurityManager() != null ) { String access = Security.getProperty("package.access"); if( access != null && access.length() > 0 ) access += ","; else access = "sun.,"; Security.setProperty("package.access", access + "org.apache.catalina.,org.apache.jasper."); String definition = Security.getProperty("package.definition"); if( definition != null && definition.length() > 0 ) definition += ","; else definition = "sun.,"; Security.setProperty("package.definition", // FIX ME package "javax." was removed to prevent HotSpot // fatal internal errors definition + "java.,org.apache.catalina.,org.apache.jasper."); } -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>