Return-Path: Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 55407 invoked by uid 500); 18 Apr 2000 23:04:37 -0000 Delivered-To: apmail-jakarta-tomcat-cvs@apache.org Received: (qmail 55394 invoked by uid 1052); 18 Apr 2000 23:04:36 -0000 Date: 18 Apr 2000 23:04:36 -0000 Message-ID: <20000418230436.55393.qmail@locus.apache.org> From: costin@locus.apache.org To: jakarta-tomcat-cvs@apache.org Subject: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/request Jdk12Interceptor.java costin 00/04/18 16:04:35 Modified: src/share/org/apache/tomcat/core Context.java ContextManager.java HttpServletRequestFacade.java HttpServletResponseFacade.java RequestImpl.java ServletWrapper.java Added: src/share/org/apache/tomcat/request Jdk12Interceptor.java Log: - Removed the fix for bug #116 ( class loader problems with JNDI and other libs) - Added back the fix in a better form ( plus support for destroy ). It is now possible to use it only if you need to ( i.e. no need to do several introspections if you are in jdk1.1). We use a normal interceptor that will set the contextClassLoader for JDK1.2 - the code is still jdk independent, but probably it's usefull to just call the real method instead of using invoke() - at least faster... - Start the missing piece for Facade - the ability to restrict access to tomcat internals. It's still a lot of work in this area - review all public methods and constructors, including attributes that are set during jsp processing. Revision Changes Path 1.79 +10 -1 jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java Index: Context.java =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java,v retrieving revision 1.78 retrieving revision 1.79 diff -u -r1.78 -r1.79 --- Context.java 2000/04/06 21:14:45 1.78 +++ Context.java 2000/04/18 23:04:27 1.79 @@ -142,7 +142,9 @@ String formErrorPage; int debug=0; - + // are servlets allowed to access internal objects? + boolean trusted=false; + public Context() { // System.out.println("New Context "); // XXX customize it per context @@ -1003,5 +1005,12 @@ this.documentBase=s; } + public void setTrusted( boolean t ) { + trusted=t; + } + + public boolean isTrusted() { + return trusted; + } } 1.71 +1 -0 jakarta-tomcat/src/share/org/apache/tomcat/core/ContextManager.java Index: ContextManager.java =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/ContextManager.java,v retrieving revision 1.70 retrieving revision 1.71 diff -u -r1.70 -r1.71 --- ContextManager.java 2000/04/17 21:02:26 1.70 +++ ContextManager.java 2000/04/18 23:04:28 1.71 @@ -849,4 +849,5 @@ t.printStackTrace( System.out ); } } + } 1.9 +9 -3 jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletRequestFacade.java Index: HttpServletRequestFacade.java =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletRequestFacade.java,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- HttpServletRequestFacade.java 2000/04/17 21:02:27 1.8 +++ HttpServletRequestFacade.java 2000/04/18 23:04:29 1.9 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletRequestFacade.java,v 1.8 2000/04/17 21:02:27 costin Exp $ - * $Revision: 1.8 $ - * $Date: 2000/04/17 21:02:27 $ + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletRequestFacade.java,v 1.9 2000/04/18 23:04:29 costin Exp $ + * $Revision: 1.9 $ + * $Date: 2000/04/18 23:04:29 $ * * ==================================================================== * @@ -91,6 +91,12 @@ public Request getRealRequest() { // XXX In JDK1.2, call a security class to see if the code has // the right permission !!! + Context ctx=request.getContext(); + if( ctx==null || ! ctx.isTrusted() ) { + // you are not allowed to access internal tomcat objects. + // finer control with a security manager... + // throw new SecurityException("Attempt to access internal objects"); + } return request; } 1.12 +5 -4 jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletResponseFacade.java Index: HttpServletResponseFacade.java =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletResponseFacade.java,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- HttpServletResponseFacade.java 2000/04/17 21:02:27 1.11 +++ HttpServletResponseFacade.java 2000/04/18 23:04:29 1.12 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletResponseFacade.java,v 1.11 2000/04/17 21:02:27 costin Exp $ - * $Revision: 1.11 $ - * $Date: 2000/04/17 21:02:27 $ + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/HttpServletResponseFacade.java,v 1.12 2000/04/18 23:04:29 costin Exp $ + * $Revision: 1.12 $ + * $Date: 2000/04/18 23:04:29 $ * * ==================================================================== * @@ -80,7 +80,8 @@ */ public class HttpServletResponseFacade -implements HttpServletResponse { + implements HttpServletResponse +{ private StringManager sm = StringManager.getManager(Constants.Package); 1.28 +4 -4 jakarta-tomcat/src/share/org/apache/tomcat/core/RequestImpl.java Index: RequestImpl.java =================================================================== RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/RequestImpl.java,v retrieving revision 1.27 retrieving revision 1.28 diff -u -r1.27 -r1.28 --- RequestImpl.java 2000/04/17 21:02:27 1.27 +++ RequestImpl.java 2000/04/18 23:04:30 1.28 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/RequestImpl.java,v 1.27 2000/04/17 21:02:27 costin Exp $ - * $Revision: 1.27 $ - * $Date: 2000/04/17 21:02:27 $ + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/RequestImpl.java,v 1.28 2000/04/18 23:04:30 costin Exp $ + * $Revision: 1.28 $ + * $Date: 2000/04/18 23:04:30 $ * * ==================================================================== * @@ -618,7 +618,7 @@ // about security remoteAddr="127.0.0.1"; remoteHost="localhost"; - + for( int i=0; i 5 ) context.log("Setting system loader " + old + " " + cl ); - // context.log("Setting system loader " + old + " " + cl ); - - return old; - } catch (NoSuchMethodException ex ) { - // we don't have the methods, don't try again - haveContextClassLoader=false; - } catch( Exception ex ) { - haveContextClassLoader = false; - context.log( "Error setting jdk context class loader", ex ); - } - return null; + } } - /** @deprecated */ public void handleRequest(final HttpServletRequestFacade request, 1.1 jakarta-tomcat/src/share/org/apache/tomcat/request/Jdk12Interceptor.java Index: Jdk12Interceptor.java =================================================================== /* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 1999 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software * Foundation" must not be used to endorse or promote products derived * from this software without prior written permission. For written * permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * . * * [Additional notices, if required by prior licensing conditions] * */ package org.apache.tomcat.request; import org.apache.tomcat.core.*; import org.apache.tomcat.util.*; import java.io.*; import java.net.*; import java.util.*; import javax.servlet.http.*; /** * JDK1.2 specific options. Fix the class loader, etc. */ public class Jdk12Interceptor extends BaseInterceptor implements RequestInterceptor { ContextManager cm; int debug=0; public Jdk12Interceptor() { } public void setContextManager( ContextManager cm ) { this.cm=cm; } public void setDebug( int i ) { debug=i; } public void preServletInit( Context ctx, ServletWrapper sw ) throws TomcatException { ClassLoader originalCL=null; originalCL = fixJDKContextClassLoader(ctx.getServletLoader().getClassLoader()); // System.out.println("Setting class loader for init()"); } /** Servlet Destroy notification */ public void preServletDestroy( Context ctx, ServletWrapper sw ) throws TomcatException { fixJDKContextClassLoader(ctx.getServletLoader().getClassLoader()); } public void postServletInit( Context ctx, ServletWrapper sw ) throws TomcatException { // no need to change the cl - next requst will do that // ( it's per-thread information ) } /** Called before service method is invoked. */ public int preService(Request request, Response response) { fixJDKContextClassLoader(request.getContext().getServletLoader().getClassLoader()); // System.out.println("Setting class loader for service()"); return 0; } static boolean haveContextClassLoader=true; static Class noParams[]=new Class[0]; static Class clParam[]=new Class[1]; static Object noObjs[]=new Object[0]; static { clParam[0]=ClassLoader.class; } // Before we do init() or service(), we need to do some tricks // with the class loader - see bug #116. // some JDK1.2 code will not work without this fix // we save the originalCL because we might be in include // and we need to revert to it when we finish // that will set a new (JDK)context class loader, and return the old one // if we are in JDK1.2 // XXX move it to interceptor !!! /** Reflection trick to set the context class loader for JDK1.2, without braking JDK1.1. This code can be commented out for 3.1 if it creates any problems - it should work. XXX We need to find a better way to do that - maybe make it part of the ServletLoader interface. */ ClassLoader fixJDKContextClassLoader( ClassLoader cl ) { if( cl==null ) return null; if( ! haveContextClassLoader ) return null; Thread t=Thread.currentThread(); try { java.lang.reflect.Method getCCL=t.getClass().getMethod("getContextClassLoader", noParams); java.lang.reflect.Method setCCL=t.getClass().getMethod("setContextClassLoader", clParam) ; if( (getCCL==null) || (setCCL==null) ) { haveContextClassLoader=false; return null; } ClassLoader old=( ClassLoader)getCCL.invoke( t, noObjs ); Object params[]=new Object[1]; params[0]=cl; setCCL.invoke( t, params ); // if( context.getDebug() > 5 ) context.log("Setting system loader " + old + " " + cl ); // context.log("Setting system loader " + old + " " + cl ); return old; } catch (NoSuchMethodException ex ) { // we don't have the methods, don't try again haveContextClassLoader=false; } catch( Exception ex ) { haveContextClassLoader = false; System.out.println( "Error setting jdk context class loader " + ex ); } return null; } }