You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Glenn Nielsen <gl...@voyager.apg.more.net> on 2002/02/26 18:08:08 UTC
Re: [PROPOSAL] - Tocmat 4, implement new Catalina SecurityManager
Policy class
Remy Maucherat wrote:
>
> > Remy Maucherat wrote:
> > >
> > > > Due to recent questions about the SecurityManager implementation in
> > > > Tomcat 4 I decided to post my proposal for overhauling how security
> > > > policies are managed in Tomcat 4. This is something I have wanted
> > > > to do for a while but has been sitting on the back burner as I have
> > > > been very busy with other work (non open source) related projects..
> > >
> > > Yes, I think it looks good, and full of useful features.
> >
> > Thanks.
> >
> > > The only thing is that IMO it should be integrated in the server.xml
> file
> > > and its child files. I don't see any reason to keep that in separate
> config
> > > files.
> >
> > server.xml child files ??
>
> Like the ones used for the admin and manager webapps (webapps/admin.xml and
> webapps/manager.xml). It's just as if that XML fragment was inserted in the
> server.xml file.
>
> > > I think I could implement it if I have some time, which is a possibility
> > > after I finish Coyote.
> >
> > Whats the timeline on that?
>
> Whenever I stop trying to fix bugs for one whole week. Of course, it's less
> a priority now that (unexpectedly) JK is out there and fully supported.
> I still have some design decisions to make for the Catalina wrapper (the
> HTTP stack itself looks good enough already).
>
> > I originally wrote that proposal Jan 3, but was sitting on it
> > because I was very busy with other projects. I have some time now to
> > work on it. I'll see if I can flush out the design some more.
>
> No problem then, I was just suggesting that if you didn't have time.
>
If you want to help, great! The more who learn about the SecurityManager
implementation in Tomcat, the better.
> > BTW, I have been testing Tomcat 4.1-dev built from CVS using java 1.4 with
> > -security. Tomcat runs fine with the default catalina.policy, but fails
> > when I use a more restrictive policy. I think the problem is in Java 1.4,
> > I have filed a bug report on this. So for now, I am back to using java
> 1.3.1.
>
> I was very unhappy about 1.4 b3, which had lots of classloading issues.
> Thankfully, the RC and the final have been much better, but I'm not
> surprised there are still issues remaining in some more advanced use cases.
> What's the bugtraq number for your report ?
>
"Your report has been assigned an internal review ID of: 143293"
This is not visible through JDC yet. My report is a bit misleading.
I now have minimal sourcecode which demonstrates the bug. I could
send you a tar.gz of the source, shell script, and policy file which
demonstrates the bug. It sure would be nice if I could attach this
tar.gz to the bug I already filed with Sun.
Glenn
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>