tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabien Le Floc'h <>
Subject security and a servlet using core catalina classes
Date Thu, 10 May 2001 00:05:19 GMT
Thanks for your answer,

I decided to put my servlet in the catalina hierarchy (on my personal computer). When it will
be more advanced, I could even propose it as a contribution to catalina.

But I think would have been possible to bypass the "security" by just using reflection to
call the core methods.



Glenn Nielsen <> writes:

> In Tomcat 4 the "core" catalina classes in servlet/lib/catalina.jar are hidden 
> from servlets. A servlet should use the standard Servlet 2.3 classes to 
> access public information for the request.  Your servlet would not be portable 
> across differenct servlet containers if you used internal servlet container classes.
> In addition, making those interal tomcat classes visible to web applications
> could allow the security of the servlet container and web applications to be compromised.
> Regards,
> Glenn
> Fabien Le Floc'h wrote:
> > 
> > Hello,
> > 
> > I am sorry to bother you. But I am trying to write a servlet that uses some core
apache classes and I have problems running it.
> > 
> > - If I use a war archive, tomcat does not find the tomcat classes/servlet classes
when it starts the servlet. (ClassNoDefFound error). If I then add the catalina.jar and servlet.jar
to the classpath, I have a conflict between classes loaded dynamically by tomcat and classes
in the classpath. (More precisely I have an object whose class is ServletWrapper but is not
an instance of ServletWrapper. This is because (I guess) the object is created by the Tomcat
classloader and it is compared with an instance of the classpath objects),
> > 
> > - If I put the jar file in the common/lib directory, it finds the servlet classes
but not the tomcat classes.
> > 
> > - If I put the jar file in server/lib directory, it does not load my servlet.
> > 
> > The only way I can make it work is to put it in the catalina.jar file. But that
is not nice at all.
> > 
> > Could someone help me with this?
> > 
> > Thank you.
> > 
> > Fabien Le Floc'h
> > 
> > P.S.: I was wondering if it was user or developer oriented... As I want to use core
Tomcat classes I thought it was developer but maybe I am wrong. Then I apologize.
> -- 
> ----------------------------------------------------------------------
> Glenn Nielsen    | /* Spelin donut madder    |
> MOREnet System Programming               |  * if iz ina coment.      |
> Missouri Research and Education Network  |  */                       |
> ----------------------------------------------------------------------

View raw message