By default, the Verifier is disabled on .Net and Java

[jeff.williams at aspectsecurity.com (Jeff Williams)]

> > 2) The verifier also seems to be enabled for classes running inside
Tomcat. I'm >> not sure about other J2EE containers. 
> This is interesting, do you have any documentation to back this up?
Ideally there > would be a document somewhere which listed which J2EE
containers run with the > verifier on by default

I determined this experimentally since I cannot find any authoritative
documentation showing exactly when classes are verified and when they are
not.  The test is essentially the same as the other tests discussed in this
thread.

You can try it yourself with the attached zip file. Start with TestServlet
calling public method named privateMethod() in Foo.java.  Compile both files
"javac -classpath servlet-api.jar *.java".  Then edit Foo.java to make
privateMethod really private.  Then recompile just Foo.java "javac
-classpath servlet-api.jar Foo.java".  Copy the class files into the
WEB-INF\classes folder.  Then drop the whole TestServlet folder into the
webapps directory in a standard Tomcat directory.  Run Tomcat's startup.bat
and browse to http://localhost:8080/TestServlet/test.

Here's the output.  I'd love to hear what happens with this in other
servers, if anyone has WebSphere or WebLogic lying around.

java.lang.IllegalAccessError: tried to access method Foo.privateMethod()V
from c
lass TestServlet
        at TestServlet.doGet(TestServlet.java:22)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:252)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:173)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:213)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:178)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:126)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:105)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:107)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:148)
        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:868)
        at
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.p
rocessConnection(Http11BaseProtocol.java:663)
        at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpo
int.java:527)
        at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFol
lowerWorkerThread.java:80)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:684)
        at java.lang.Thread.run(Thread.java:595)

--Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: VerifierServletTest.zip
Type: application/x-zip-compressed
Size: 93846 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20060505/a752705d/attachment.bin