You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by bu...@apache.org on 2004/08/21 22:25:40 UTC
DO NOT REPLY [Bug 25186] -
Security problem, BasicDataSource class
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=25186>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=25186
Security problem, BasicDataSource class
yoavs@computer.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From yoavs@computer.org 2004-08-21 20:25 -------
So you're trying to protect the case where the Tomcat admin doesn't trust the
Tomcat developers but allows them to write and deploy software on his server?
The Tomcat developer would have to explicitly case the JNDI DataSource to the
DBCP impl type, BasicDataSource in this case. Then the developer would be
able to use any public methods in the impl class. If getPassword were
protected or private, the developer could always subclass BasicDataSource with
his own class that just makes the method private.
So I don't think this is a scenario that's of concern. Especially since other
pool implementations like proxool and c3po do the same thing, and I haven't
heard any concerns or complaints about it.
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org