Whitepaper covering servlet security on a shared server?

["Preston L. Bannister" <pr...@home.com>]

> James Duncan Davidson wrote:
> > Yes, a fair amount of education would go a very long way. Anybody ready
> > to write up a whitepaper about Servlets and ISPs?

From: Chris [mailto:chrisl@hamptons.com]
> Does 'Ready but completely unqualified' count?

Hey!  Count me in on this category :).

I have a pretty strong interest in seeing a whitepaper about Servlets and
security.  I don't claim to be an expert on the subject (is anyone?), but if
no one more qualified steps forward, I'd be willing to collect notes and put
together a whitepaper.

I've been using an ISP that wants to allow servers as an example (mutually
distrustful servlet-based applications running in one machine).  My
immediate concern is how to securely host servlets a IBM OS/390 mainframe
(potentially a monster server).

Seems that IBM WebSphere uses something called WLM to run a distinct JVM for
each application's set of servlets.  Sounds similar to what I've seen
described for Jserv.  This approach likely works quite well a for a server
hosting a handful of servlet-based applications.  I'm not sure this approach
suits an ISP where you really want something like a per-user sandbox
(cheaper than another JVM).