This is the mail archive of the
java@gcc.gnu.org
mailing list for the Java project.
Re: JSP Servlet container / WEB server
On Sun, 2003-07-20 at 13:33, Andrew Haley wrote:
> Mohan Embar writes:
> > Hi Lars,
> >
> > >I have made a web server that compiles JSP pages and servlets into .so
> > >dynamic libraries using GCJ. The web engine itself is of course compiled
> > >with GCJ.
> > >This makes for a compact, fast little web server!
> >
> > Cool!
> >
> > I know you said to continue the discussion elsewhere, but I've got one
> > gcj-related question which may or may not be sacrilegious for this list.
> > Doesn't running the webserver and compiled JSPs as native code
> > potentially bypass all of Java's purportedly wonderful security features?
> > I don't recall if I'm remembering this correctly, but isn't gcj somewhat
> > lacking in things like class verification and maybe even security checks?
>
> This is true. The gcj libraries don't implement the Java security
> sandbox.
And I had to skip those sections of the servlet API, and just do plain
class loading everywhere. (The security features would be implemented by
a designated classloader). This is just one of many parts of the API
that I had to shortcut, or plainly do without.
But it doesn't hurt basic functionality as it clearly demonstrates.
And I think GCJ's other strong points makes it worthwhile.
> > I know there are a million ways to secure a webserver, but I kind of
> > like the idea of a real JVM being sort of a safety net.
>
> It's not the jvm that provides this, but the libraries -- there's no
> reason fully compiled Java can't be just as secure as a conventional
> VM.
Agreed.
/Lars Andersen