Hans Bergsten wrote:
We can support runtime package name addition (when the servlet is generated, ask the security manager to protect the package). So it can be optional, i.e. being able to tell jasper to generate servlet using org.apache.jsp (something configurable via JMX ;-) ), without or with a aaa.bbb.ccc. Then when package generation option is selected, then ask the security manager to protect it.. It will be easy to document the functionality and that will improve the security manager protection mechanim (by having the choice of protecting or not a package, and by having the choice of the package name).Remy Maucherat wrote:Jeanfrancois Arcand wrote:The only problem I see by removing the package org.apache.jsp is that when Tomcat run under the security manager, it is no longer possible to protect an application from package insertion/access (dangerous).
It is still possible to protect the application by manually adding the new package name under the conf/tomcat.properties file. This will have to be documented somewhere.
That's a good point, also. (oh, no, I'm back in the middle of a JSPC induced mess ;-) )
Ok, I can re-revert my patch ;-)
Please don't. The way it's pathced now, it works as in TC 4.0.4. Also note that this is for precompiled JSP pages only. If there are security concerns (I know I'm ignorant), let's look at both JspServlet and JSPC and find a solution that works for both at the same time.
-- Jeanfrancois
Hans
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
