Remy Maucherat wrote:
Jeanfrancois Arcand wrote:
The only problem I see by removing the package org.apache.jsp is that
when Tomcat run under the security manager, it is no longer possible
to protect an application from package insertion/access (dangerous).
It is still possible to protect the application by manually adding
the new package name under the conf/tomcat.properties file. This will
have to be documented somewhere.
That's a good point, also. (oh, no, I'm back in the middle of a JSPC
induced mess ;-) )
Ok, I can re-revert my patch ;-)
Please don't. The way it's pathced now, it works as in TC 4.0.4. Also
note that this is for precompiled JSP pages only. If there are
security concerns (I know I'm ignorant), let's look at both JspServlet
and JSPC and find a solution that works for both at the same time.
Hans
--
Hans Bergsten <[EMAIL PROTECTED]>
Gefion Software <http://www.gefionsoftware.com/>
Author of O'Reilly's "JavaServer Pages", covering JSP 1.2 and JSTL 1.0
Details at <http://TheJSPBook.com/>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>