james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Danny Angus" <da...@apache.org>
Subject RE: Download jars instead of keeping in CVS?
Date Tue, 04 Feb 2003 11:46:23 GMT
> > 2/ there is a security issue involved in allowing applications 
> to access any installed library, even those not explicitly 
> required by the application.
> Could you please expand on this?

It seems to me that an application could check for the presence of packages which you would
not ordinarily want it to access.

Activation and reflection allow programmes to programatically create objects/refrences at
runtime, JDBC drivers and logging are two areas where runtime binding plays a key role, two
ways to limit access to potentially dangerous code include not putting classes in the classpath
and using the security manager. If somekind of system wide package discovery is available
it removes the first of these safety nets, putting the whole burden on correct administration
of the security manager.


To unsubscribe, e-mail: james-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-dev-help@jakarta.apache.org

View raw message