You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Jean-Francois Arcand <jf...@apache.org> on 2002/10/23 21:18:16 UTC
Security Check in Classloader.
Hi,
In StandardClassLoader, starting line 815, the SecurityManager is invoked:
// (.5) Permission to access this class when using a SecurityManager
if (securityManager != null) {
int i = name.lastIndexOf('.');
if (i >= 0) {
try {
securityManager.checkPackageAccess(name.substring(0,i));
} catch (SecurityException se) {
String error = "Security Violation, attempt to use " +
"Restricted Class: " + name;
System.out.println(error);
se.printStackTrace();
log(error);
throw new ClassNotFoundException(error);
}
}
}
Why are we calling the SecurityManager.checkPackageAccess
in StandardClassLoader? Since we give all permissions to
org.apache.catalina, I think this call is useless. This call is required
when invoked inside WebappClassLoader.
Thanks,
-- Jeanfrancois
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Security Check in Classloader.
Posted by Jean-Francois Arcand <jf...@apache.org>.
Foget that email. The problem is in front of the computer, not in the
class ;-)
-- Jeanfrancois
Jean-Francois Arcand wrote:
> Hi,
>
> In StandardClassLoader, starting line 815, the SecurityManager is
> invoked:
>
> // (.5) Permission to access this class when using a
> SecurityManager
> if (securityManager != null) {
> int i = name.lastIndexOf('.');
> if (i >= 0) {
> try {
>
> securityManager.checkPackageAccess(name.substring(0,i));
> } catch (SecurityException se) {
> String error = "Security Violation, attempt to use " +
> "Restricted Class: " + name;
> System.out.println(error);
> se.printStackTrace();
> log(error);
> throw new ClassNotFoundException(error);
> }
> }
> }
>
> Why are we calling the SecurityManager.checkPackageAccess in
> StandardClassLoader? Since we give all permissions to
> org.apache.catalina, I think this call is useless. This call is
> required when invoked inside WebappClassLoader.
>
> Thanks,
>
> -- Jeanfrancois
>
>
> --
> To unsubscribe, e-mail:
> <ma...@jakarta.apache.org>
> For additional commands, e-mail:
> <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Security Check in Classloader.
Posted by Glenn Nielsen <gl...@mail.more.net>.
Jean-Francois Arcand wrote:
> Hi,
>
> In StandardClassLoader, starting line 815, the SecurityManager is invoked:
>
> // (.5) Permission to access this class when using a SecurityManager
> if (securityManager != null) {
> int i = name.lastIndexOf('.');
> if (i >= 0) {
> try {
> securityManager.checkPackageAccess(name.substring(0,i));
> } catch (SecurityException se) {
> String error = "Security Violation, attempt to use " +
> "Restricted Class: " + name;
> System.out.println(error);
> se.printStackTrace();
> log(error);
> throw new ClassNotFoundException(error);
> }
> }
> }
>
> Why are we calling the SecurityManager.checkPackageAccess in
> StandardClassLoader? Since we give all permissions to
> org.apache.catalina, I think this call is useless. This call is required
> when invoked inside WebappClassLoader.
>
Because a paranoid Tomcat admin like me may not grant AllPermission to catalina
in their security policy.
Regards,
Glenn
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>