On 18/08/2013 20:06, Raymond Auge wrote: > On Sun, Aug 18, 2013 at 1:59 PM, Mark Thomas <ma...@apache.org> wrote:
>> Web applications have no business trying to configure a security >> manager. First of all this is a container concern, not an application >> concern. Secondly, a security manager applies JVM wide. An application >> has no way to determine how to configure a security manager to enable >> any other applications to operate correctly. This is why it is a >> container concern where the deployer can determine a) if they require a >> security manager in their environment (something else an application has >> no way of determining) and b) what an appropriate security policy is for >> their environment. <snip/> > Nowhere in any specification is this stated! Maybe not in language that is immediately clear but this is stated in the J2EE platform specification. (section EE.6.2.2) > Why can't a web application declare and provide a security manager? Think about it. If an application configures a security manager it also needs to define the security policy. The application will know what permissions it needs but it will not know: - what permissions the container needs - what permissions other applications deployed in the container need The likely result of an application configuring a security manager will be a long series of security exceptions and a significant - if not total - loss of functionality. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
