Secure Coding mailing list archives
Re: Java sandboxing not used much
From: "Jared W. Robinson" <jwr () xmission com>
Date: Thu, 11 Mar 2004 20:35:15 +0000
I'd go futher - I think it is extremley rare that anyone configures their sandbox properly. I "do" Java development, and I would guess that less than 10% of application server deployments are done with the Java security manager enabled.
Complex security systems are often completely ignored. For example, I think the UNIX permission model is great -- it's simplistic, and fairly easy to learn and use. As a result, it does get used. ACLs are significantly more powerful and complex. Many people are tempted to ignore them or turn them off completely. The simplicity of the traditional UNIX permission model means that it is more likely to be used than abused. This may be applicable to the Java sandbox. It is complex. Maybe if it were in people's faces more, or if some kind of default sandboxing occurred, it would be more used. - Jared
Current thread:
- RE: Opinion re an interesting article on Linux security in Linux Journal Nick Lothian (Mar 10)
- Re: Java sandboxing not used much Jared W. Robinson (Mar 11)
- Re: Re: Java sandboxing not used much Kenneth R. van Wyk (Mar 11)
- Re: Java sandboxing not used much Jared W. Robinson (Mar 11)
- Re: Re: Java sandboxing not used much Louis Solomon [SteelBytes] (Mar 15)
- Re: Re: Java sandboxing not used much Kenneth R. van Wyk (Mar 11)
- Re: Java sandboxing not used much Jared W. Robinson (Mar 11)