You are viewing a plain text version of this content. The canonical link for it is here.
Posted to taglibs-dev@jakarta.apache.org by Glenn Nielsen <gl...@mail.more.net> on 2004/03/02 12:57:43 UTC
Re: [Mailer] Handling get[Default]Instance() - bug #24715
Perhaps a better way to accomplish restricting the use of getInstance()
would be to use the Java SecurityManager.
There could be a property named org.apache.taglibs.mailer.getInstance.
A checkPermission could be done to verify whether the webapp had
the java.util.PropertyPermission "org.apache.taglibs.mailer.getInstance", "write"
permission, if it has this permission allow the use of getInstance.
In this case the property doesn't have to be defined in the JVM only
the SecurityPermssion in the app server security policy. This way
the use of getInstance() can be controlled on a per webapp level rather
than globally.
Regards,
Glenn
On Wed, Feb 18, 2004 at 10:49:32AM +0100, Martin van Dijken wrote:
> Hey Martin,
>
> I can indeed imagine cases where the sysops of a system won't want the
> webapp developers to have this kind of control. This is however a little
> nasty in the sense that it will have to be documented very well, and
> even then will be overlooked most of the times... Also, if something
> were wrong with one of my webapps upon deployment, the last thing I
> would think to check for problems with a taglib is the system
> properties... I must admit that I can't think of another solution
> though.
>
> Martin
>
> > -----Original Message-----
> > From: Martin Cooper [mailto:martinc@apache.org]
> > Sent: woensdag 18 februari 2004 6:49
> > To: taglibs-dev@jakarta.apache.org
> > Subject: [Mailer] Handling get[Default]Instance() - bug #24715
> >
> >
> > Bugzilla #24715 points out that, under certain circumstances,
> > it is necessary to use JavaMail's getInstance() method,
> > rather than the
> > getDefaultInstance() method, to get the session to use for
> > sending mail. However, as Glenn Nielsen has pointed out,
> > there are also cases in which
> > getDefaultInstance() must be used, to prevent modification of
> > the session by the client.
> >
> > In the latter case, a web app config parameter is not
> > sufficient, because control needs to lie with those in
> > control of the JVM, rather than those who have control over
> > the web app (at least as I understand it).
> >
> > Therefore, I propose to resolve this issue by introducing a
> > system property that will be used to determine which method
> > to use to obtain a JavaMail session.
> >
> > Further, since the more unusual case (I am assuming) is
> > restricted access to the session, I propose that the absence
> > of the property be taken to indicate that getInstance()
> > should be used, and that the property must be defined to
> > specify that getDefaultInstance() should be used.
> >
> > Comments?
> >
> > --
> > Martin Cooper
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: taglibs-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: taglibs-dev-help@jakarta.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: taglibs-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: taglibs-dev-help@jakarta.apache.org
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: taglibs-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: taglibs-dev-help@jakarta.apache.org
Re: [Mailer] Handling get[Default]Instance() - bug #24715
Posted by Martin Cooper <ma...@apache.org>.
On Tue, 2 Mar 2004, Glenn Nielsen wrote:
> Perhaps a better way to accomplish restricting the use of getInstance()
> would be to use the Java SecurityManager.
>
> There could be a property named org.apache.taglibs.mailer.getInstance.
> A checkPermission could be done to verify whether the webapp had
> the java.util.PropertyPermission "org.apache.taglibs.mailer.getInstance", "write"
> permission, if it has this permission allow the use of getInstance.
> In this case the property doesn't have to be defined in the JVM only
> the SecurityPermssion in the app server security policy. This way
> the use of getInstance() can be controlled on a per webapp level rather
> than globally.
That makes a lot of sense. I've so far escaped having to care much about
the security manager, but it looks like my time has come. ;-)
--
Martin Cooper
>
> Regards,
>
> Glenn
>
>
> On Wed, Feb 18, 2004 at 10:49:32AM +0100, Martin van Dijken wrote:
> > Hey Martin,
> >
> > I can indeed imagine cases where the sysops of a system won't want the
> > webapp developers to have this kind of control. This is however a little
> > nasty in the sense that it will have to be documented very well, and
> > even then will be overlooked most of the times... Also, if something
> > were wrong with one of my webapps upon deployment, the last thing I
> > would think to check for problems with a taglib is the system
> > properties... I must admit that I can't think of another solution
> > though.
> >
> > Martin
> >
> > > -----Original Message-----
> > > From: Martin Cooper [mailto:martinc@apache.org]
> > > Sent: woensdag 18 februari 2004 6:49
> > > To: taglibs-dev@jakarta.apache.org
> > > Subject: [Mailer] Handling get[Default]Instance() - bug #24715
> > >
> > >
> > > Bugzilla #24715 points out that, under certain circumstances,
> > > it is necessary to use JavaMail's getInstance() method,
> > > rather than the
> > > getDefaultInstance() method, to get the session to use for
> > > sending mail. However, as Glenn Nielsen has pointed out,
> > > there are also cases in which
> > > getDefaultInstance() must be used, to prevent modification of
> > > the session by the client.
> > >
> > > In the latter case, a web app config parameter is not
> > > sufficient, because control needs to lie with those in
> > > control of the JVM, rather than those who have control over
> > > the web app (at least as I understand it).
> > >
> > > Therefore, I propose to resolve this issue by introducing a
> > > system property that will be used to determine which method
> > > to use to obtain a JavaMail session.
> > >
> > > Further, since the more unusual case (I am assuming) is
> > > restricted access to the session, I propose that the absence
> > > of the property be taken to indicate that getInstance()
> > > should be used, and that the property must be defined to
> > > specify that getDefaultInstance() should be used.
> > >
> > > Comments?
> > >
> > > --
> > > Martin Cooper
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: taglibs-dev-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: taglibs-dev-help@jakarta.apache.org
> > >
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: taglibs-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: taglibs-dev-help@jakarta.apache.org
> ----------------------------------------------------------------------
> Glenn Nielsen glenn@more.net | /* Spelin donut madder |
> MOREnet System Programming | * if iz ina coment. |
> Missouri Research and Education Network | */ |
> ----------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: taglibs-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: taglibs-dev-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: taglibs-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: taglibs-dev-help@jakarta.apache.org