SECTION: 400-Security TITLE: Is it secure? QUESTION: Is Jetty secure? (Is it Secret? Is it Safe?)

Against the spec (ie giving access only to resources that the servlet spec allows for) we have historicly had a few security issues. However we have more often been in the role of finding a problem in all servlet implementations and driving the fix. We have at times raised CERT secuirty advisories on all servlet containers.

For general security (can the server be used to break into a system), we have never had an issue. Jetty does not call exec other than in the CGI servlet - which is easy to configure out. No network supplied data is used for loading classes. The WEB-INF/lib and WEB-INF/classes directories are strongly protected from read and write.

However, Jetty is not hardened against hostile code. There are probably security issues if you run untrusted Servlets within Jetty. However the servlet spec itself has several security problems when running untrusted servlets.

Jetty does allow permission files to be configured per context, thus can be configured to restrict access to the system and libraries from servlet code. However, there may still be some risk of a hostile servlet changing some Jetty configuration. A security audit is recommended if you wish to run untrusted servlets.

It is also simple to configure down Jetty to only include the handler that you need. Thus avoiding potential problems.

But there are no guarentees with free software. If you are really concerned then I suggest you get some consulting for an audit of your actual deployment.