[Owasp-dotnet] Re: [OWASP-LEADERS] What are the 'Real World' security advantagesof the .Net Framework and the JVM?
Rogan Dawes
rogan at dawes.za.net
Wed Nov 2 08:21:55 EST 2005
Jeff Williams wrote:
>>In a way, this is not very different to the learning mode of the current
>>web application firewalls, except it works on the backend, rather than
>>in front of the application. AND, you could potentially configure
>>different security managers for each application running on the server.
>>
>>Could be an interesting project . . . .
>
>
> No, it's not hard at all. I wrote something along these lines for Java back
> in 2001. It intercepts all SecurityManager calls, pops up a window that
> allows the user to select the policy, and writes it out as a security.policy
> file.
>
> I used to use it to run untrusted java apps so that I could be sure they
> weren't trying to start a server, access files, or do a runtime.exec. I'd
> be happy to contribute it to OWASP if there's interest.
>
> --Jeff
How difficult does it get when you are running a servlet, or similar
setup inside an application server? Does the servlet engine or app
server install its own SecurityManager first?
i.e. for a Java shared hosting environment, would it be possible to run
different Security Managers for different WAR/EAR applications?
Rogan
More information about the Owasp-dotnet
mailing list