jakarta-taglibs-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 39480] New: - calling getContextClassLoader without doPriv
Date Wed, 03 May 2006 20:33:27 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39480>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39480

           Summary: calling getContextClassLoader without doPriv
           Product: Taglibs
           Version: 1.2.0
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Standard Taglib
        AssignedTo: taglibs-dev@jakarta.apache.org
        ReportedBy: kenna@us.ibm.com


Getting the following exception when running JSTL in the webcontainer runtime
with security turned on:
java.security.AccessControlException: Access denied (java.lang.RuntimePermission
getClassLoader)
	at java.security.AccessController.checkPermission(AccessController.java:104)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
	at
com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189)
	at java.lang.Thread.getContextClassLoader(Thread.java:484)
	at org.apache.taglibs.standard.tag.common.fmt.BundleSupport.findMatch(Unknown
Source)

According to http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html,
the following restrictions are applied:
If the caller's class loader is null, or is the same as or an ancestor of the
context class loader for the thread whose context class loader is being
requested, no permission is needed. Otherwise,
java.lang.RuntimePermission "getClassLoader"
is required.

In the org.apache.taglibs.standard.tag.common.fmt.BundleSupport.findMatch, among
other areas, JSTL is calling Thread.currentThread().getContextClassLoader());
Since JSTL is now a part of the JEE5 runtime and not a jar added to an
application, these calls to the classloader need to be wrappered with a doPriv
block.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: taglibs-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: taglibs-dev-help@jakarta.apache.org


Mime
View raw message