We are trying to use SecurityManager with Resin 3.1.9 and run into the following problem: CodeSource.getLocation() returns null for compiled JSPs.
This means that we cannot use a specific codebase in grant clause in our policy file, for example:
grant codeBase "file:/path_to_resin/runtime/work/-" {
OR grant codeBase "file:/path_to_resin/webapp/JSP-source/-" {
//...some jsp-specific permissions
};
Instead, we have to use a universal grant clause:
grant {
//..some jsp-specific permissions. Unfortunately, these will be applied
//to all code!!!
};
Is there a way to make JSPs have a proper CodeSource? We'd like to restrict the permissions of third-party libraries, but give permissions to our own JSPs. If we cannot specify JSPs in the policy file, we might not be able to do this, or what do you think?
EDIT: We deploy JSPs as-is, so don't recompile them. That might have something to do with the problem.