DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12101>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12101 SecurityManager + removal of sample webapps = unprivileged getParameter()! [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|Other |High ------- Additional Comments From [EMAIL PROTECTED] 2002-08-29 01:41 ------- Ok, I think I tracked the real issue down. Disregard my previous hypotheses. :) The problem occurs when the SecurityManager is used with the default policy. If a request comes in, if the request processing path does NOT flow through a class file that has all permissions granted (e.g., "DefaultServlet" Catalina- internal servlet) and there is no call made to "request.getParameterNames()" or "request.getParameter()" from code with all permissions, BEFORE any other [user/untrusted] servlet with fewer permissions granted, the following security exception will occur: StandardClassLoader: Security Violation, attempt to use Restricted Class: org.apache.catalina.util.LocalStrings Security Violation, attempt to use Restricted Class: org.apache.catalina.util.LocalStrings_en java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util) Refer to the complete stack trace in the Bugzilla description for more details. I have confirmed that this bug also exists in Tomcat 4.0.1 -- likely even earlier. This sounds like a fairly high priority bug. Can someone take a look? Thanks. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
