tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anil Vijendran <>
Subject Re: [PROPOSAL] Tomcat 4 SecurityManager implementation
Date Mon, 15 Jan 2001 20:59:35 GMT
Hi Glenn,

I had a few questions/comments on:

> Jasper JSP class loading

> The work directory will be moved inside the web application context
> /WEB-INF/ directory.  This will make security configuration easier
> and security checks more efficient.  The jasper work dir for a context
> would be /WEB-INF/work/.  This should be safe, other important files
> which need to be protected from outside view are stored in
> WEB-INF such as java properties files and class files.
> /WEB-INF/work will not be added to the contexts class path.

Instead of this, how about having a parallel tree under a user-specified temp dir
with a workdir per web application?

This wouldn't work too well for webapps that are run from the WAR file itself.
(The WAR file could be expanded but that's an implementation detail and not
necessarily true.)

Also, I'm a bit wary about touching any part of the webapp that the user created.
What if I create a jar from the directory for that web application after you
created the tmp files?

As far as I can remember, the work directory needs to be added to the context's
classpath. Am I missing something?

> Jasper will be modified so that each individual jsp page
> will have its own URLClassLoader.  When each jsp page has
> its own URLClassLoader we can remove the need to munge and version
> the jsp java and class file names.  We can also create directory
> paths in the work dir for the context that matches the jsp page
> path in the context.  This will make it easier to view the
> generated source for a jsp page. When a jsp page is recompiled,
> a new instance of the URLClassLoader for that page will be
> created.

At this point I don't have enough details to -1 this. But I'd suggest you consider
this before going ahead. Classloaders are heavyweight objects. JSP pages are
essentially like HTML pages. There can be many many of them. Do you want to have a
heavyweight classloader per JSP page (and one for every update of that page?)

Peace, Anil +<:-)

View raw message