Educating ISPs

[Troy Poppe <tr...@usite.net>]

I don't know if this is applicable here or not, but I will mention it anyhow.

About a year ago, on the Apache JServ mailing list there was a discussion
about just this topic.  It came up after an administrator from Florida
International University in Miami, Florida wanted to allow his users to do
servlets in addition to the CGIs he already supported.

I mentioned several problems with this.  First, at the time, there was no
checking for permission for a class to be in a particular package.  The problem
was that if package a has a private method, say destroyDatabase(), that was
intended only for use within that package, class b could become a member of
package a, and execute that method.

The same holds true for any private variable, say a database connection with
full privledges.

Now, I haven't kept up to date on the Apache JServ development as I should have,
and I don't know if the servlet zones solves this problem (or if zones scale well
to systems with large numbers of users), but I think this might still be an
issue for allowing users to write Servlets.

The Apache JServ mailing list, for both development and users, had some mention
of this security issue, and others.  It might be a good starting point for other
such problems with multi-user servlet engines.

- Troy Poppe


On Fri, Jul 09, 1999 at 12:15:17PM -0700, Hans Bergsten wrote:
> James Duncan Davidson wrote:
> > 
> > > Why would it be important to ISPs that Servlet Security be so elaborate? Most
> > > ISPs offer CGI in Perl (and often C), which are much more insecure (I think)
> > > than either one of those.
> > 
> > You would think... The benifit is that each CGI program fires up
> > independently and has very little ability to rip though other peoples
> > data as it runs with the priveldges of the user.
> > 
> > Since the servlet engine runs everybody under the same userid, that's
> > where most of the concern that I've heard is.
> > 
> > > Am I just completely wrong about this? If not, then maybe it'd be better tough
> > > maybe not easier) to just educate ISPs about servlets.
> > 
> > Yes, a fair amount of education would go a very long way. Anybody ready
> > to write up a whitepaper about Servlets and ISPs?
> 
> I've planned to write an article about it for a long time, since educating
> ISPs is really an important part of the puzzle. But I don't know when I will
> find the time to do it, and it may also make sense to wait until Servlet 2.2
> is more stable since it addresses some of their concerns better. I can't
> promise anything yet, but I may be able to do it later this fall. It could 
> end up as a white paper on the Jakarta site or an article published in web 
> related magazines, or both.
> 
> -- 
> Hans Bergsten		hans@gefionsoftware.com
> Gefion Software		http://www.gefionsoftware.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
> 
> 

----- End forwarded message -----

----- End forwarded message -----