Re: Catalina on Avalon

[cm...@yahoo.com]

On Tue, 16 Oct 2001, David Bullock wrote:

> On Mon, 15 Oct 2001, Remy Maucherat wrote:
>
> > >  - *should* catalina packages be sealed? If so, why? If not, why not?
> >
> > No, why ?
>
> Well, I would say that sealing is a great and necessary concept
> from a security perspective.  I haven't been involved in any
> discussions about the merits or otherwise of sealing, so this is
> a personal conclusion from reading and thinking about classloaders
> and security.


The main benefit of sealing is that it prevent a whole category of
exploits. There are many cases where the compiler generates a
package-protected field ( for sure in internal classes ), and the only way
to protect against it is via sealing.

The only argument against sealing is that it exposes bugs in the class
loaders, but IMHO it's better to fix the bugs than disable sealing.

> I'm not trying to point the finger at Tomcat in particular ... sealing is
> a new idea that is going to affect how we design things, and it's not
> generally well-understood what the impacts are yet.

Sealing has been around since JDK1.2, not quite new idea. The impact is
pretty clear, I think - it prevent mixing versions ( which would create
far bigger problems if undetected ), expose bugs in class loaders and
prevent some security exploits.


Costin
( a big supporter of sealing )
( BTW, the 39 classes and interfaces are a bit more than 39 - as they have
dependencies on the classes that implement them, spaghetti-style, and
moving them might also help cleaning some of the mess. However, with few
changes it is possible to separate them the way you want - at least I was
able to do it. )