- From: Alexandre Rafalovitch <alex@access.com.au>
- Date: Sat, 16 Nov 1996 12:09:30 +1000
- To: www-jigsaw@w3.org
At 8:17 PM +1000 15/11/96, Anselm Baird_Smith wrote:
>Alexandre Rafalovitch writes:
> > >A lot of work will be needed to create a suitable security manager for
> > >Jigsaw, as a rough estimate, I would say that nearly all the methods
> > >of httpd would have to go through a secuirity check (they all return
> > >sensitive data, such as the root resource, etc).
> > >
> > Not really. We can assume two things. First, there are no static methods on
> > the server that give out any information. Second, non-secure resources
> > (CGIs, Servlet before authorisations, agents, etc) would not have access to
> > the server because their bridges (eg CGIResource) would not expose server
> > objects to them.
>
>Well, I agree public static method are dangerous, but think of this
>one, just as examples of how difficult the task is:
>
>request.getClient().getServer();
>resource().getServer()
>etc
>
Ok. now I agree that resources one installs through the /Admin have to be
trusted because they have to have access to all that information. However,
for resources that can be installed automatically (CGI, Servlets, Aglets)
they would not be conforming to Jigsaw resource model, so they would be
talking through the bridge classes. (eg. ServletStub and ServletContext for
Servlets). Those stubs should be written in a way that prevents the
untrusted resources to access sensitive classes.
A good example would be servlets host implementation (RSN).
Regards,
Alex.
alex@access.com.au
Received on Friday, 15 November 1996 20:08:13 UTC