Webmaster wrote:

>Hi all,
>
>I know this is a little bit out of topic, but the general concept is useful for everybody.
>
>I run tomcat with security manager for a dozen users. Recently, people started to use the hibernate 2 which requires some funky permissions.
>
>I had to put these lines in the 'global' permission to make it work:
>
>grant {
>
>...
>
> permission java.lang.RuntimePermission "accessDeclaredMembers";
> permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
> permission java.lang.RuntimePermission "defineCGLIBClassInJavaPackage";
>
>...
>}
>
>Note: I DID test using a codebase like:
>
>grant codeBase "file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/-" {
>....
>
>but the classes hibernate creates after reflection stop obeying the security manager.
>
>
Do you have the exception? Which Tomcat version are you using?


>Are there any security risks on a security setup with those 3 lines for all classes in the JVM ?
>
>

Yes. It will now allow a Servlet to "load" tomcat internal classes and
"maybe" do malicious things.

-- Jeanfrancois


>Thanks
>Renato.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
>For additional commands, e-mail: tomcat-user-help@(protected)
>
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)