8.1 Restrict runtime access to sensitive packages

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


package.access grants or revokes access to listed packages during runtime. It is recommended that application access to certain packages be restricted.


Prevent web applications from accessing restricted or unknown packages which may be malicious or dangerous to the application.


Edit $CATALINA_BASE/conf/catalina.properties by adding allowed packages to the package.access list:

package.access = sun.,org.apache.catalina.,org.apache.coyote.,org.apache.jasper.,org.apache.tomcat.

Default Value:

The default package.access value within $CATALINA_BASE/conf/catalina.properties is:

package.access = sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat., org.apache.jasper.

See Also