2015-11-20 15:47 GMT+03:00 Christopher Schultz <ch...@christopherschultz.net>:
> All,
>
> I thought there was a BZ issue for this, but I didn't find one. It's
> been suggested (and I agree completely) that an application ought to be
> able to fetch the CredentialHandler for the context's realm so that it
> could mutate user credentials in the same way that the Realm expects to
> do. That allows applications to change user's passwords, for instance.
>
In review of r1715434
1. I think this has to be an opt-in feature.
I do not see high risk though. In theory, if stored credentials are
known then CredentialHandler allows untrusted applications to test
potential passwords without triggering a lock-out timer.
I am OK with this being a StandardContext feature, though there is an
alternative way: to implement publishing the attribute with a
Listener.
2. A web application is not allowed to access classes in org.apache.catalina.
Interfaces exposed to web applications (InstanceManager etc.) are in
org.apache.tomcat package
and access to them is granted with the following lines in catalina.policy:
// All JSPs need to be able to read this package
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat";
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
