tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: Curious about classes in server directory
Date Wed, 04 Oct 2000 18:36:45 GMT
James Cook wrote:

> I'm just curious why the classes in <tomcat>/server are duplicated by the
> classes in <tomcat>/lib. Since the classes in <tomcat>/lib are specified
in the
> VMs classpath, one would think that tomcat wouldn't have to load these classes
> from <tomcat>/server.
>

The issue is most visible when talking about the XML parser to be used.  Catalina
and Jasper both need an XML parser -- but they need not use the same one.
Therefore, Catalina sets up a special classpath for all of its internal classes
(i.e. all the JAR files in the server directory) that is separate from the system
classpath.  Bypassing the contents of the "lib" directory means there will never be
any potential for a user-supplied class (installed in the "lib" directory) messing
up the internal operation of Catalina.

>
> The reason for the duplication must assume that the server's classloader (for
> server-specific functionality), must exclude the system classpath. Why is that?
> I am not aware of a security problem with this approach, unless the server class
> loader looks at the VM classpath first. Is this the case?
>

Actually, the system class path is currently (post-milestone-1) configured with
*only* the following contents:
    $CATALINA_HOME/bin/bootstrap.jar
    $CATALINA_HOME/bin/servlet.jar
    $JAVA_HOME/lib/tools.jar

The JAR files in the "lib" directory are assembled into a special classloader called
the "Shared" class loader.  This class loader ends up in between the system
classloader and the webapp classloader, and is visible to all webapps (but not to
the Catalina core classes).  It is not really there for security related reasons --
it is there to enforce the new 2.3 requirements for checking the existence of
optional packages (Section 9.6.1).  Doing this requires the container to have
control over the implementation class of the shared classloader.

A document was added to the developer docs directory for Catalina that describes how
and why all the classloaders in Catalina are set up.  If you've got the source
distribution (or are using CVS), point your browser at:

    catalina/docs/dev/classloaders.html

(In the binary distribution, just add "src/" on the front).

>
> thanks,
> jim
>

Craig McClanahan

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat



Mime
View raw message