Secure Coding mailing list archives
By default, the Verifier is disabled on .Net and Java
From: jeff.williams at aspectsecurity.com (Jeff Williams)
Date: Fri, 5 May 2006 00:13:16 -0400
2) The verifier also seems to be enabled for classes running inside
Tomcat. I'm >> not sure about other J2EE containers.
This is interesting, do you have any documentation to back this up?
Ideally there > would be a document somewhere which listed which J2EE containers run with the > verifier on by default I determined this experimentally since I cannot find any authoritative documentation showing exactly when classes are verified and when they are not. The test is essentially the same as the other tests discussed in this thread. You can try it yourself with the attached zip file. Start with TestServlet calling public method named privateMethod() in Foo.java. Compile both files "javac -classpath servlet-api.jar *.java". Then edit Foo.java to make privateMethod really private. Then recompile just Foo.java "javac -classpath servlet-api.jar Foo.java". Copy the class files into the WEB-INF\classes folder. Then drop the whole TestServlet folder into the webapps directory in a standard Tomcat directory. Run Tomcat's startup.bat and browse to http://localhost:8080/TestServlet/test. Here's the output. I'd love to hear what happens with this in other servers, if anyone has WebSphere or WebLogic lying around. java.lang.IllegalAccessError: tried to access method Foo.privateMethod()V from c lass TestServlet at TestServlet.doGet(TestServlet.java:22) at javax.servlet.http.HttpServlet.service(HttpServlet.java:689) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:252) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV alve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV alve.java:178) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j ava:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j ava:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal ve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav a:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java :868) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.p rocessConnection(Http11BaseProtocol.java:663) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpo int.java:527) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFol lowerWorkerThread.java:80) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP ool.java:684) at java.lang.Thread.run(Thread.java:595) --Jeff -------------- next part -------------- A non-text attachment was scrubbed... Name: VerifierServletTest.zip Type: application/x-zip-compressed Size: 93846 bytes Desc: not available Url : http://krvw.com/pipermail/sc-l/attachments/20060505/a752705d/attachment.bin
Current thread:
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 02)
- By default, the Verifier is disabled on .Net and Java Jeff Williams (May 02)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 04)
- [Owasp-dotnet] Re: By default, the Verifier is disabled on .Net and Java Michael Silk (May 04)
- By default, the Verifier is disabled on .Net and Java Jeff Williams (May 04)
- Message not available
- Message not available
- Message not available
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 12)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 13)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 04)
- By default, the Verifier is disabled on .Net and Java Jeff Williams (May 02)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 08)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 12)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 12)
- By default, the Verifier is disabled on .Net and Java Dinis Cruz (May 08)
- By default, the Verifier is disabled on .Net and Java Michael Silk (May 08)
- By default, the Verifier is disabled on .Net and Java Stephen de Vries (May 10)