Hans Bergsten wrote:
In the normal case (when your web app is bundled as a standalone module), you doesn't need to protect your JSP. The classloader will protect your JSP. It is when you bundle more that one web app in a single war file that you may need protection.Jeanfrancois Arcand wrote:[...]
We can support runtime package name addition (when the servlet is generated, ask the security manager to protect the package). So it can be optional, i.e. being able to tell jasper to generate servlet using org.apache.jsp (something configurable via JMX ;-) ), without or with a aaa.bbb.ccc. Then when package generation option is selected, then ask the security manager to protect it.. It will be easy to document the functionality and that will improve the security manager protection mechanim (by having the choice of protecting or not a package, and by having the choice of the package name).
I admit I'm almost totally ignorant about this, so can you please explain why I would want to protect the package used for my JSP pages?
You are right, but when the Tomcat classloading mechanism is not used, we need a way to still ensure the protection. That will not happen when you use Tomcat as it is, but that can happen in JBoss and J2EE RI (when you change the installation structure). And knowing how classloading works ;-)., I would prefer having a protection alternative.Who am I protecting myself against, what type of attack, in what type of environment? Given that each web app has it's own classloader and (I assume) is in control over what goes in it's web app structure, I just don't see the need for this protection. But I may be totally wrong, so please enlighten me.
-- Jeanfrancois
Hans
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
