This is the mail archive of the
java@gcc.gnu.org
mailing list for the Java project.
Re: JSP Servlet container / WEB server
- From: Mark Wielaard <mark at klomp dot org>
- To: gnustuff at thisiscool dot com
- Cc: Andrew Haley <aph at redhat dot com>, java at gcc dot gnu dot org, Lars Andersen <lars at rimfaxe dot com>
- Date: 20 Jul 2003 15:26:47 +0200
- Subject: Re: JSP Servlet container / WEB server
- References: <NHANK1VYXCOLRQDAZW62C9B0A5IDG.3f1a9105@p733>
Hi,
On Sun, 2003-07-20 at 14:54, Mohan Embar wrote:
> > > I don't recall if I'm remembering this correctly, but isn't gcj somewhat
> > > lacking in things like class verification and maybe even security checks?
> >
> >This is true. The gcj libraries don't implement the Java security
> >sandbox.
>
> Do they not implement this at all? Maybe not a true applet sandbox, but I
> see lots of SecurityManager calls in the net code for example. I haven't
> followed these to see if they lead anywhere, though.
Most of the security framework/support is in the libraries. There are
only a few last issues with the byte code verifier. And java.util.jar
should correctly assign certificates from classes loaded from jar files
which is currently not implemented. But the big missing thing is
java.security.AccessController. This is were most of the security checks
end up and if you look at the implementation you will see that it is
just stubs at the moment.
Cheers,
Mark