I agree that both of those packages should be protected. Why they are not included? org.apache.coyote is most likely missing because it is a relatively new package. org.apache.util may just have been missed.
The code below is in both startup/Catalina.java and startup/CatalinaService.java I will go ahead and patch this in Tomcat 4 HEAD. Regards, Glenn Jean-Francois Arcand wrote: > HI, > > is somebody aware why package org.apache.coyote.* and > org.apache.tomcat.* are not protected againts package insertion/access > in Catalina.java. What is the reasons? Actually, classes are not > available to a Webapp (the Classloader is taking care of it) but when > Tomcat is embedded in an app container (or when there is a special > Classloader), those classes are available :-( > > Actually, we only protect the following package: > > if( System.getSecurityManager() != null ) { > String access = Security.getProperty("package.access"); > if( access != null && access.length() > 0 ) > access += ","; > else > access = "sun.,"; > Security.setProperty("package.access", > access + "org.apache.catalina.,org.apache.jasper."); > String definition = Security.getProperty("package.definition"); > if( definition != null && definition.length() > 0 ) > definition += ","; > else > definition = "sun.,"; > Security.setProperty("package.definition", > // FIX ME package "javax." was removed to prevent HotSpot > // fatal internal errors > definition + > "java.,org.apache.catalina.,org.apache.jasper."); > } > > Thanks, > > -- Jeanfrancois > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> -- ---------------------------------------------------------------------- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder | MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | ---------------------------------------------------------------------- -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>