Hi, Bill!! Thank you a lot!! It seems, it's exactly what I need
Bill Barker-2 wrote: > > > "kazukin6" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] >> >> Plz Help !! >> Is it possible to disable all java code execution within jsp page (by >> security manager or something) >> but allow custom tags to be executed? > > There isn't anything that can't be worked around. But putting: > <jsp-config> > <jsp-property-group> > <url-pattern>*.jsp</url-pattern> > <scripting-invalid>true</scripting-invalid> > </jsp-property-group> > </jsp-config> > > in $CATALINA_HOME/conf/web.xml means that you can prove that they went out > of their way to break the rules. This is section 3.3.3 of the JSP-2.1 > spec. > If they put the corresponding fragment in their webapp's web.xml but with > <scripting-invalid>false</scripting-invalid> then Tomcat will allow > scripting (user web.xml overrides global web.xml). Also, since it is a > translation-time error, it won't work if they deploy pre-compiled JSP > pages. > > Using a SecurityManager just limits what they can do (e.g. <% > System.exit(0); %> throws an exception). > > >> >> The problem is that the users can change jsp files, and due to security >> reasons we can allow them to use only tags >> -- >> View this message in context: >> http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19415053.html >> Sent from the Tomcat - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Disable-java-code-execution-%3C-blabla-%3E-in-jsp%2C-but-permits-tags-tp19415053p19433882.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
