Hi Glenn, your last addition seems, IMO, to open a security isssue with classes located under the o.a.c.util directory. Actually, maybe not for Tomcat 4.1, but for 5.0, I have created a class called SecurityAudit.java that contains some security check. If we port your latest changes, this class will be exposed to malicious uses. Also, Is there a reason why we are giving the "
defineClassInPackage"? I think two solutions are available (1) move sensitive classes to another package (2) create a "public" package where we want to give access to some internal class. What is your recommendation? Thanks, -- Jeanfrancois [EMAIL PROTECTED] wrote: >glenn 2002/09/30 12:59:47 > > Modified: catalina/src/conf catalina.policy > Log: > Allow defineClassInPackage for util due to Request Parametermap needs > > Revision Changes Path > 1.28 +3 -1 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy > > Index: catalina.policy > =================================================================== > RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v > retrieving revision 1.27 > retrieving revision 1.28 > diff -u -r1.27 -r1.28 > --- catalina.policy 8 Sep 2002 18:04:02 -0000 1.27 > +++ catalina.policy 30 Sep 2002 19:59:47 -0000 1.28 > @@ -121,6 +121,8 @@ > // Required for sevlets and JSP's > permission java.lang.RuntimePermission >"accessClassInPackage.org.apache.catalina.util"; > permission java.lang.RuntimePermission >"accessClassInPackage.org.apache.catalina.util.*"; > + permission java.lang.RuntimePermission >"defineClassInPackage.org.apache.catalina.util"; > + permission java.lang.RuntimePermission >"defineClassInPackage.org.apache.catalina.util.*"; > > // Required for running servlets generated by JSPC > permission java.lang.RuntimePermission >"accessClassInPackage.org.apache.jasper.runtime"; > > > > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>